-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: add namespace adjustment #124
base: main
Are you sure you want to change the base?
Conversation
withNamespaces([]rspec.LinuxNamespace{ | ||
{ | ||
Type: rspec.PIDNamespace, | ||
Path: "/meshuggah.rocks", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😆
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after the error msg fix
We are interested in running some parts of a pod in host or totally separate pid and network namespaces, so add an adjustment that allows for that. Signed-off-by: Tycho Andersen <[email protected]>
4403b52
to
698e6ae
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need more detail on the use case. What is a "part" of a pod. E.g. the network namespace, well there is currently only one network namespace for the shared networks of the pod and all of it's containers.. and that network namespace is host, type pod generated by the container runtime, or type user namespace pod as directed by kubelet based on the pod spec and in this case the runc runtime engine creates the netns under the user namespace. Is this some sort of non-k8s use case for linux distros to support pods such as podman pods? Need to understand these use cases to understand where and how to manage these security / isolation changes, possibly on a client basis and possibly under a new non k8s.io namespace. |
Sure,
Specifically, one container in a pod. The rest of the pod we will leave as is. In fact,
it's exactly the network namespace that we want to change here. The rest of the pod will live in the same set of namespaces as it usually does.
It is non-k8s in the sense that the network namespace we care about is created entirely outside of k8s, and there is no k8s infrastructure for managing it. It is unrelated to any linux-distro specific thing, and has to do with Netflix' network architecture. There is an old Plumber's talk about the specifics here: https://lpc.events/event/11/contributions/932/attachments/908/1764/LPC%202021_%20Talking%20IPv6%20to%20IPv4%20Without%20NAT_2.pdf |
Actually it's the pid ns as well. We want to run in the parent pidns of the containers, so that we can see them to do seccomp() operations on them correctly. |
thx for the detail |
I didn't pay attention to the open PRs and ended up doing another PR to adjust namespaces: #135
I'm fine if we pick this PR in the end, I just want to be able to adjust namespaces :) As for the security discussion, I though NRI was considered part of the runtime, ie you get NRI you get root. |
func (g *Generator) AdjustNamespaces(namespaces []*nri.LinuxNamespace) error { | ||
for _, ns := range namespaces { | ||
if err := g.AddOrReplaceLinuxNamespace(ns.Type, ns.Path); err != nil { | ||
return err | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the commit you say We are interested in running some parts of a pod in host
but if I understand this correctly you can't remove a namespace, correct ?
We are interested in running some parts of a pod in host or totally separate pid and network namespaces, so add an adjustment that allows for that.