Add support for runc container runtime
Adds the runc container runtime, its containerd shim, required Linux features and plumbs it into
Kubernetes using RuntimeClasses and containerd runtime selection. Also adds support for building C-based
targets as part of our initramfs.
The Bazel portion is a bit verbose but since label dicts cannot be reasonably concatenated and closures
are prohibited in Starlark I see no better way.
For this to be usable for most images new Linux binfmt options have been added. The hashbang binfmt
shouldn't have any negative impact, but binfmt_misc has a registry which is only namespaced if used
with user namespaces, which are currently not used and thus might represent an exploit vector. This
is tracked in T864.
Test Plan: New E2E tests covering this feature have been added.
X-Origin-Diff: phab/D625
GitOrigin-RevId: 1e7e27166135437b2965eca4dc238f3255c9b1ba
diff --git a/core/internal/kubernetes/reconciler/BUILD.bazel b/core/internal/kubernetes/reconciler/BUILD.bazel
index 1e82abe..fb77ae2 100644
--- a/core/internal/kubernetes/reconciler/BUILD.bazel
+++ b/core/internal/kubernetes/reconciler/BUILD.bazel
@@ -7,6 +7,7 @@
"resources_csi.go",
"resources_podsecuritypolicy.go",
"resources_rbac.go",
+ "resources_runtimeclass.go",
"resources_storageclass.go",
],
importpath = "git.monogon.dev/source/nexantic.git/core/internal/kubernetes/reconciler",
@@ -14,6 +15,7 @@
deps = [
"//core/internal/common/supervisor:go_default_library",
"@io_k8s_api//core/v1:go_default_library",
+ "@io_k8s_api//node/v1beta1:go_default_library",
"@io_k8s_api//policy/v1beta1:go_default_library",
"@io_k8s_api//rbac/v1:go_default_library",
"@io_k8s_api//storage/v1:go_default_library",
@@ -28,6 +30,7 @@
srcs = ["reconciler_test.go"],
embed = [":go_default_library"],
deps = [
+ "@io_k8s_api//node/v1beta1:go_default_library",
"@io_k8s_api//policy/v1beta1:go_default_library",
"@io_k8s_api//rbac/v1:go_default_library",
"@io_k8s_api//storage/v1:go_default_library",
diff --git a/core/internal/kubernetes/reconciler/reconciler.go b/core/internal/kubernetes/reconciler/reconciler.go
index a8b6272..c972996 100644
--- a/core/internal/kubernetes/reconciler/reconciler.go
+++ b/core/internal/kubernetes/reconciler/reconciler.go
@@ -108,6 +108,7 @@
"clusterrolebindings": resourceClusterRoleBindings{clientSet},
"storageclasses": resourceStorageClasses{clientSet},
"csidrivers": resourceCSIDrivers{clientSet},
+ "runtimeclasses": resourceRuntimeClasses{clientSet},
}
}
diff --git a/core/internal/kubernetes/reconciler/reconciler_test.go b/core/internal/kubernetes/reconciler/reconciler_test.go
index 5d78d82..b58d4af 100644
--- a/core/internal/kubernetes/reconciler/reconciler_test.go
+++ b/core/internal/kubernetes/reconciler/reconciler_test.go
@@ -21,6 +21,7 @@
"fmt"
"testing"
+ node "k8s.io/api/node/v1beta1"
policy "k8s.io/api/policy/v1beta1"
rbac "k8s.io/api/rbac/v1"
storage "k8s.io/api/storage/v1"
@@ -42,6 +43,8 @@
return &v2.ObjectMeta
case *policy.PodSecurityPolicy:
return &v2.ObjectMeta
+ case *node.RuntimeClass:
+ return &v2.ObjectMeta
}
return nil
}
diff --git a/core/internal/kubernetes/reconciler/resources_runtimeclass.go b/core/internal/kubernetes/reconciler/resources_runtimeclass.go
new file mode 100644
index 0000000..c202c0e
--- /dev/null
+++ b/core/internal/kubernetes/reconciler/resources_runtimeclass.go
@@ -0,0 +1,69 @@
+// Copyright 2020 The Monogon Project Authors.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package reconciler
+
+import (
+ "context"
+
+ node "k8s.io/api/node/v1beta1"
+ meta "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/client-go/kubernetes"
+)
+
+type resourceRuntimeClasses struct {
+ kubernetes.Interface
+}
+
+func (r resourceRuntimeClasses) List(ctx context.Context) ([]string, error) {
+ res, err := r.NodeV1beta1().RuntimeClasses().List(ctx, listBuiltins)
+ if err != nil {
+ return nil, err
+ }
+ objs := make([]string, len(res.Items))
+ for i, el := range res.Items {
+ objs[i] = el.ObjectMeta.Name
+ }
+ return objs, nil
+}
+
+func (r resourceRuntimeClasses) Create(ctx context.Context, el interface{}) error {
+ _, err := r.NodeV1beta1().RuntimeClasses().Create(ctx, el.(*node.RuntimeClass), meta.CreateOptions{})
+ return err
+}
+
+func (r resourceRuntimeClasses) Delete(ctx context.Context, name string) error {
+ return r.NodeV1beta1().RuntimeClasses().Delete(ctx, name, meta.DeleteOptions{})
+}
+
+func (r resourceRuntimeClasses) Expected() map[string]interface{} {
+ return map[string]interface{}{
+ "gvisor": &node.RuntimeClass{
+ ObjectMeta: meta.ObjectMeta{
+ Name: "gvisor",
+ Labels: builtinLabels(nil),
+ },
+ Handler: "runsc",
+ },
+ "runc": &node.RuntimeClass{
+ ObjectMeta: meta.ObjectMeta{
+ Name: "runc",
+ Labels: builtinLabels(nil),
+ },
+ Handler: "runc",
+ },
+ }
+}