m/node: enable user namespaces in K8s
This enables the two feature gates for user namespace support in K8s.
We did not previously have a passwd file which caused Go's UserLookup
to fail with an unexpected error. Add an mostly-empty placeholder file
to placate it.
Change-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6
Reviewed-on: https://review.monogon.dev/c/monogon/+/3665
Reviewed-by: Tim Windelschmidt <tim@monogon.tech>
Tested-by: Jenkins CI
diff --git a/metropolis/node/kubernetes/BUILD.bazel b/metropolis/node/kubernetes/BUILD.bazel
index 9f51ba0..15eec36 100644
--- a/metropolis/node/kubernetes/BUILD.bazel
+++ b/metropolis/node/kubernetes/BUILD.bazel
@@ -66,6 +66,7 @@
"@io_k8s_component_base//featuregate",
"@io_k8s_kubelet//config/v1beta1",
"@io_k8s_kubelet//pkg/apis/pluginregistration/v1:pluginregistration",
+ "@io_k8s_kubernetes//pkg/features",
"@io_k8s_kubernetes//plugin/pkg/admission/security/podsecurity",
"@io_k8s_pod_security_admission//admission/api/v1:api",
"@org_golang_google_grpc//:grpc",
diff --git a/metropolis/node/kubernetes/feature_gates.go b/metropolis/node/kubernetes/feature_gates.go
index 06d970f..9be3b35 100644
--- a/metropolis/node/kubernetes/feature_gates.go
+++ b/metropolis/node/kubernetes/feature_gates.go
@@ -5,6 +5,7 @@
"strings"
"k8s.io/component-base/featuregate"
+ "k8s.io/kubernetes/pkg/features"
)
type featureGates map[featuregate.Feature]bool
@@ -32,4 +33,7 @@
return out
}
-var extraFeatureGates = featureGates{}
+var extraFeatureGates = featureGates{
+ features.UserNamespacesSupport: true,
+ features.UserNamespacesPodSecurityStandards: true,
+}