KEP-127: Add CRI changes for userns support

We have a PoC for containerd and CRIO working with these changes just fine. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Co-authored-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
kubernetes · Apr 7, 2022 · b0526dc · b0526dc
1 parent edb6849
commit b0526dc
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/keps/sig-node/127-user-namespaces/README.md b/keps/sig-node/127-user-namespaces/README.md
@@ -19,6 +19,7 @@
   - [Risks and Mitigations](#risks-and-mitigations)
 - [Design Details](#design-details)
   - [Pod.spec changes](#podspec-changes)
+  - [CRI changes](#cri-changes)
   - [Phases](#phases)
     - [Phase 1: pods &quot;without&quot; volumes](#phase-1-pods-without-volumes)
     - [Phase 2: pods with volumes](#phase-2-pods-with-volumes)
@@ -200,6 +201,65 @@ If true or not present, uses the host user namespace (as today)
 If false, a new userns is created for the pod.
 By default it is set to `true`.
 
+### CRI changes
+
+The following messages will be added:
+
+```
+// A IDMapping describes a ID mapping for the user namespace used for the
+// pod.
+message IDMapping {
+    // host_id is the id on the host.
+    uint32 host_id = 1;
+    // container_id is the id in the container.
+    uint32 container_id = 2;
+    // length is the size of the range to map.
+    uint32 length = 3;
+}
+
+// A UserNamespace describes the intended user namespace configuration.
+message UserNamespace {
+    // User namespace for this sandbox.
+    // Note: It currently supports only POD and NODE.
+    NamespaceMode mode = 1;
+
+    // uids specifies the UID mappings for the user namespace.
+    repeated IDMapping uids = 2;
+
+    // gids specifies the GID mappings for the user namespace.
+    repeated IDMapping gids = 3;
+}
+```
+
+The existing message `NamespaceOption` will have a `user` field added.
+The complete `NamespaceOption` message with the new field is shown here:
+
+```
+// NamespaceOption provides options for Linux namespaces.
+message NamespaceOption {
+    // Network namespace for this container/sandbox.
+    // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API.
+    // Namespaces currently set by the kubelet: POD, NODE
+    NamespaceMode network = 1;
+    // PID namespace for this container/sandbox.
+    // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER.
+    // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods.
+    // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET
+    NamespaceMode pid = 2;
+    // IPC namespace for this container/sandbox.
+    // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API.
+    // Namespaces currently set by the kubelet: POD, NODE
+    NamespaceMode ipc = 3;
+    // Target Container ID for NamespaceMode of TARGET. This container must have been
+    // previously created in the same pod. It is not possible to specify different targets
+    // for each namespace.
+    string target_id = 4;
+    // User namespace for this sandbox.
+    UserNamespace user = 5;
+}
+
+```
+
 ### Phases
 
 We propose to divide the work in 3 phases. Each phase makes this work with