Gitiles
Code Review Sign In
gerrit-dev.monogon.dev / monogon / 2ecccae4ff62b687ec5e218349fcf8a42069dfc9^! / . / metropolis / node
commit2ecccae4ff62b687ec5e218349fcf8a42069dfc9[log] [tgz]
authorLorenz Brun <lorenz@monogon.tech>Wed Nov 27 22:03:35 2024 +0100
committerLorenz Brun <lorenz@monogon.tech>Mon Dec 02 16:50:54 2024 +0000
treec5a5914c9d3bd8fb37a5650a6b3e4881f9fc2610
parentd58edf4e2f745427d69ecc72bfe9a9ead69d697d [diff]
m/node: enable user namespaces in K8s

This enables the two feature gates for user namespace support in K8s.
We did not previously have a passwd file which caused Go's UserLookup
to fail with an unexpected error. Add an mostly-empty placeholder file
to placate it.

Change-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6
Reviewed-on: https://review.monogon.dev/c/monogon/+/3665
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI

diff --git a/metropolis/node/BUILD.bazel b/metropolis/node/BUILD.bazel
index 6ae234a..c09ca2d 100644
--- a/metropolis/node/BUILD.bazel
+++ b/metropolis/node/BUILD.bazel

@@ -33,6 +33,10 @@
     },
 )
 
+exports_files([
+    "passwd",
+])
+
 erofs_image(
     name = "rootfs",
     files = {
@@ -42,6 +46,7 @@
         # These should not be explicitly used by Metropolis code and are only here for compatibility with
         # paths hardcoded by standard libraries (like Go's).
         "@cacerts//file": "/etc/ssl/cert.pem",
+        "//metropolis/node:passwd": "/etc/passwd",
         "//osbase/net/dns:resolv.conf": "/etc/resolv.conf",
         "//osbase/net/dns:hosts": "/etc/hosts",
         ":os-release-info": "/etc/os-release",

diff --git a/metropolis/node/kubernetes/BUILD.bazel b/metropolis/node/kubernetes/BUILD.bazel
index 9f51ba0..15eec36 100644
--- a/metropolis/node/kubernetes/BUILD.bazel
+++ b/metropolis/node/kubernetes/BUILD.bazel

@@ -66,6 +66,7 @@
         "@io_k8s_component_base//featuregate",
         "@io_k8s_kubelet//config/v1beta1",
         "@io_k8s_kubelet//pkg/apis/pluginregistration/v1:pluginregistration",
+        "@io_k8s_kubernetes//pkg/features",
         "@io_k8s_kubernetes//plugin/pkg/admission/security/podsecurity",
         "@io_k8s_pod_security_admission//admission/api/v1:api",
         "@org_golang_google_grpc//:grpc",

diff --git a/metropolis/node/kubernetes/feature_gates.go b/metropolis/node/kubernetes/feature_gates.go
index 06d970f..9be3b35 100644
--- a/metropolis/node/kubernetes/feature_gates.go
+++ b/metropolis/node/kubernetes/feature_gates.go

@@ -5,6 +5,7 @@
 	"strings"
 
 	"k8s.io/component-base/featuregate"
+	"k8s.io/kubernetes/pkg/features"
 )
 
 type featureGates map[featuregate.Feature]bool
@@ -32,4 +33,7 @@
 	return out
 }
 
-var extraFeatureGates = featureGates{}
+var extraFeatureGates = featureGates{
+	features.UserNamespacesSupport:              true,
+	features.UserNamespacesPodSecurityStandards: true,
+}

diff --git a/metropolis/node/passwd b/metropolis/node/passwd
new file mode 100644
index 0000000..e363ba6
--- /dev/null
+++ b/metropolis/node/passwd

@@ -0,0 +1 @@
+root:x:0:0:root:/nonexistent:/sbin/nologin