2019-01-12 04:58:27 +00:00
|
|
|
/*
|
|
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package container
|
|
|
|
|
|
|
|
import (
|
2019-09-27 21:51:53 +00:00
|
|
|
"encoding/json"
|
2019-01-12 04:58:27 +00:00
|
|
|
"fmt"
|
|
|
|
"hash/fnv"
|
|
|
|
"strings"
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
"k8s.io/klog/v2"
|
2019-01-12 04:58:27 +00:00
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
v1 "k8s.io/api/core/v1"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/apimachinery/pkg/runtime"
|
|
|
|
"k8s.io/apimachinery/pkg/types"
|
2019-08-30 18:33:25 +00:00
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
2019-01-12 04:58:27 +00:00
|
|
|
"k8s.io/client-go/tools/record"
|
2019-08-30 18:33:25 +00:00
|
|
|
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
|
2019-09-27 21:51:53 +00:00
|
|
|
podutil "k8s.io/kubernetes/pkg/api/v1/pod"
|
2021-07-02 08:43:15 +00:00
|
|
|
sc "k8s.io/kubernetes/pkg/securitycontext"
|
2019-01-12 04:58:27 +00:00
|
|
|
hashutil "k8s.io/kubernetes/pkg/util/hash"
|
|
|
|
"k8s.io/kubernetes/third_party/forked/golang/expansion"
|
2019-12-12 01:27:03 +00:00
|
|
|
utilsnet "k8s.io/utils/net"
|
2019-01-12 04:58:27 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// HandlerRunner runs a lifecycle handler for a container.
|
|
|
|
type HandlerRunner interface {
|
|
|
|
Run(containerID ContainerID, pod *v1.Pod, container *v1.Container, handler *v1.Handler) (string, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// RuntimeHelper wraps kubelet to make container runtime
|
|
|
|
// able to get necessary informations like the RunContainerOptions, DNS settings, Host IP.
|
|
|
|
type RuntimeHelper interface {
|
2019-12-12 01:27:03 +00:00
|
|
|
GenerateRunContainerOptions(pod *v1.Pod, container *v1.Container, podIP string, podIPs []string) (contOpts *RunContainerOptions, cleanupAction func(), err error)
|
2019-01-12 04:58:27 +00:00
|
|
|
GetPodDNS(pod *v1.Pod) (dnsConfig *runtimeapi.DNSConfig, err error)
|
|
|
|
// GetPodCgroupParent returns the CgroupName identifier, and its literal cgroupfs form on the host
|
|
|
|
// of a pod.
|
|
|
|
GetPodCgroupParent(pod *v1.Pod) string
|
|
|
|
GetPodDir(podUID types.UID) string
|
|
|
|
GeneratePodHostNameAndDomain(pod *v1.Pod) (hostname string, hostDomain string, err error)
|
|
|
|
// GetExtraSupplementalGroupsForPod returns a list of the extra
|
|
|
|
// supplemental groups for the Pod. These extra supplemental groups come
|
|
|
|
// from annotations on persistent volumes that the pod depends on.
|
|
|
|
GetExtraSupplementalGroupsForPod(pod *v1.Pod) []int64
|
|
|
|
}
|
|
|
|
|
|
|
|
// ShouldContainerBeRestarted checks whether a container needs to be restarted.
|
|
|
|
// TODO(yifan): Think about how to refactor this.
|
|
|
|
func ShouldContainerBeRestarted(container *v1.Container, pod *v1.Pod, podStatus *PodStatus) bool {
|
2020-03-26 21:07:15 +00:00
|
|
|
// Once a pod has been marked deleted, it should not be restarted
|
|
|
|
if pod.DeletionTimestamp != nil {
|
|
|
|
return false
|
|
|
|
}
|
2019-01-12 04:58:27 +00:00
|
|
|
// Get latest container status.
|
|
|
|
status := podStatus.FindContainerStatusByName(container.Name)
|
|
|
|
// If the container was never started before, we should start it.
|
|
|
|
// NOTE(random-liu): If all historical containers were GC'd, we'll also return true here.
|
|
|
|
if status == nil {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// Check whether container is running
|
|
|
|
if status.State == ContainerStateRunning {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
// Always restart container in the unknown, or in the created state.
|
|
|
|
if status.State == ContainerStateUnknown || status.State == ContainerStateCreated {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
// Check RestartPolicy for dead container
|
|
|
|
if pod.Spec.RestartPolicy == v1.RestartPolicyNever {
|
2021-03-18 22:40:29 +00:00
|
|
|
klog.V(4).InfoS("Already ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
|
2019-01-12 04:58:27 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
if pod.Spec.RestartPolicy == v1.RestartPolicyOnFailure {
|
|
|
|
// Check the exit code.
|
|
|
|
if status.ExitCode == 0 {
|
2021-03-18 22:40:29 +00:00
|
|
|
klog.V(4).InfoS("Already successfully ran container, do nothing", "pod", klog.KObj(pod), "containerName", container.Name)
|
2019-01-12 04:58:27 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// HashContainer returns the hash of the container. It is used to compare
|
|
|
|
// the running container with its desired spec.
|
2019-09-27 21:51:53 +00:00
|
|
|
// Note: remember to update hashValues in container_hash_test.go as well.
|
2019-01-12 04:58:27 +00:00
|
|
|
func HashContainer(container *v1.Container) uint64 {
|
|
|
|
hash := fnv.New32a()
|
2019-09-27 21:51:53 +00:00
|
|
|
// Omit nil or empty field when calculating hash value
|
|
|
|
// Please see https://github.com/kubernetes/kubernetes/issues/53644
|
2020-08-10 17:43:49 +00:00
|
|
|
containerJSON, _ := json.Marshal(container)
|
|
|
|
hashutil.DeepHashObject(hash, containerJSON)
|
2019-01-12 04:58:27 +00:00
|
|
|
return uint64(hash.Sum32())
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// envVarsToMap constructs a map of environment name to value from a slice
|
2019-01-12 04:58:27 +00:00
|
|
|
// of env vars.
|
2020-08-10 17:43:49 +00:00
|
|
|
func envVarsToMap(envs []EnvVar) map[string]string {
|
2019-01-12 04:58:27 +00:00
|
|
|
result := map[string]string{}
|
|
|
|
for _, env := range envs {
|
|
|
|
result[env.Name] = env.Value
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// v1EnvVarsToMap constructs a map of environment name to value from a slice
|
2019-01-12 04:58:27 +00:00
|
|
|
// of env vars.
|
2020-08-10 17:43:49 +00:00
|
|
|
func v1EnvVarsToMap(envs []v1.EnvVar) map[string]string {
|
2019-01-12 04:58:27 +00:00
|
|
|
result := map[string]string{}
|
|
|
|
for _, env := range envs {
|
|
|
|
result[env.Name] = env.Value
|
|
|
|
}
|
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// ExpandContainerCommandOnlyStatic substitutes only static environment variable values from the
|
|
|
|
// container environment definitions. This does *not* include valueFrom substitutions.
|
|
|
|
// TODO: callers should use ExpandContainerCommandAndArgs with a fully resolved list of environment.
|
|
|
|
func ExpandContainerCommandOnlyStatic(containerCommand []string, envs []v1.EnvVar) (command []string) {
|
2020-08-10 17:43:49 +00:00
|
|
|
mapping := expansion.MappingFuncFor(v1EnvVarsToMap(envs))
|
2019-01-12 04:58:27 +00:00
|
|
|
if len(containerCommand) != 0 {
|
|
|
|
for _, cmd := range containerCommand {
|
|
|
|
command = append(command, expansion.Expand(cmd, mapping))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return command
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// ExpandContainerVolumeMounts expands the subpath of the given VolumeMount by replacing variable references with the values of given EnvVar.
|
2019-08-30 18:33:25 +00:00
|
|
|
func ExpandContainerVolumeMounts(mount v1.VolumeMount, envs []EnvVar) (string, error) {
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
envmap := envVarsToMap(envs)
|
2019-08-30 18:33:25 +00:00
|
|
|
missingKeys := sets.NewString()
|
|
|
|
expanded := expansion.Expand(mount.SubPathExpr, func(key string) string {
|
|
|
|
value, ok := envmap[key]
|
|
|
|
if !ok || len(value) == 0 {
|
|
|
|
missingKeys.Insert(key)
|
|
|
|
}
|
|
|
|
return value
|
|
|
|
})
|
|
|
|
|
|
|
|
if len(missingKeys) > 0 {
|
|
|
|
return "", fmt.Errorf("missing value for %s", strings.Join(missingKeys.List(), ", "))
|
|
|
|
}
|
|
|
|
return expanded, nil
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// ExpandContainerCommandAndArgs expands the given Container's command by replacing variable references `with the values of given EnvVar.
|
2019-01-12 04:58:27 +00:00
|
|
|
func ExpandContainerCommandAndArgs(container *v1.Container, envs []EnvVar) (command []string, args []string) {
|
2020-08-10 17:43:49 +00:00
|
|
|
mapping := expansion.MappingFuncFor(envVarsToMap(envs))
|
2019-01-12 04:58:27 +00:00
|
|
|
|
|
|
|
if len(container.Command) != 0 {
|
|
|
|
for _, cmd := range container.Command {
|
|
|
|
command = append(command, expansion.Expand(cmd, mapping))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(container.Args) != 0 {
|
|
|
|
for _, arg := range container.Args {
|
|
|
|
args = append(args, expansion.Expand(arg, mapping))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return command, args
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// FilterEventRecorder creates an event recorder to record object's event except implicitly required container's, like infra container.
|
2019-01-12 04:58:27 +00:00
|
|
|
func FilterEventRecorder(recorder record.EventRecorder) record.EventRecorder {
|
|
|
|
return &innerEventRecorder{
|
|
|
|
recorder: recorder,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type innerEventRecorder struct {
|
|
|
|
recorder record.EventRecorder
|
|
|
|
}
|
|
|
|
|
|
|
|
func (irecorder *innerEventRecorder) shouldRecordEvent(object runtime.Object) (*v1.ObjectReference, bool) {
|
|
|
|
if ref, ok := object.(*v1.ObjectReference); ok {
|
2020-12-01 01:06:26 +00:00
|
|
|
// this check is needed AFTER the cast. See https://github.com/kubernetes/kubernetes/issues/95552
|
|
|
|
if ref == nil {
|
|
|
|
return nil, false
|
|
|
|
}
|
2019-01-12 04:58:27 +00:00
|
|
|
if !strings.HasPrefix(ref.FieldPath, ImplicitContainerPrefix) {
|
|
|
|
return ref, true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, false
|
|
|
|
}
|
|
|
|
|
|
|
|
func (irecorder *innerEventRecorder) Event(object runtime.Object, eventtype, reason, message string) {
|
|
|
|
if ref, ok := irecorder.shouldRecordEvent(object); ok {
|
|
|
|
irecorder.recorder.Event(ref, eventtype, reason, message)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (irecorder *innerEventRecorder) Eventf(object runtime.Object, eventtype, reason, messageFmt string, args ...interface{}) {
|
|
|
|
if ref, ok := irecorder.shouldRecordEvent(object); ok {
|
|
|
|
irecorder.recorder.Eventf(ref, eventtype, reason, messageFmt, args...)
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
func (irecorder *innerEventRecorder) AnnotatedEventf(object runtime.Object, annotations map[string]string, eventtype, reason, messageFmt string, args ...interface{}) {
|
|
|
|
if ref, ok := irecorder.shouldRecordEvent(object); ok {
|
|
|
|
irecorder.recorder.AnnotatedEventf(ref, annotations, eventtype, reason, messageFmt, args...)
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// IsHostNetworkPod returns whether the host networking requested for the given Pod.
|
2019-01-12 04:58:27 +00:00
|
|
|
// Pod must not be nil.
|
|
|
|
func IsHostNetworkPod(pod *v1.Pod) bool {
|
|
|
|
return pod.Spec.HostNetwork
|
|
|
|
}
|
|
|
|
|
2020-08-10 17:43:49 +00:00
|
|
|
// ConvertPodStatusToRunningPod returns Pod given PodStatus and container runtime string.
|
2019-01-12 04:58:27 +00:00
|
|
|
// TODO(random-liu): Convert PodStatus to running Pod, should be deprecated soon
|
|
|
|
func ConvertPodStatusToRunningPod(runtimeName string, podStatus *PodStatus) Pod {
|
|
|
|
runningPod := Pod{
|
|
|
|
ID: podStatus.ID,
|
|
|
|
Name: podStatus.Name,
|
|
|
|
Namespace: podStatus.Namespace,
|
|
|
|
}
|
|
|
|
for _, containerStatus := range podStatus.ContainerStatuses {
|
|
|
|
if containerStatus.State != ContainerStateRunning {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
container := &Container{
|
|
|
|
ID: containerStatus.ID,
|
|
|
|
Name: containerStatus.Name,
|
|
|
|
Image: containerStatus.Image,
|
|
|
|
ImageID: containerStatus.ImageID,
|
|
|
|
Hash: containerStatus.Hash,
|
|
|
|
State: containerStatus.State,
|
|
|
|
}
|
|
|
|
runningPod.Containers = append(runningPod.Containers, container)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Populate sandboxes in kubecontainer.Pod
|
|
|
|
for _, sandbox := range podStatus.SandboxStatuses {
|
|
|
|
runningPod.Sandboxes = append(runningPod.Sandboxes, &Container{
|
|
|
|
ID: ContainerID{Type: runtimeName, ID: sandbox.Id},
|
|
|
|
State: SandboxToContainerState(sandbox.State),
|
|
|
|
})
|
|
|
|
}
|
|
|
|
return runningPod
|
|
|
|
}
|
|
|
|
|
|
|
|
// SandboxToContainerState converts runtimeapi.PodSandboxState to
|
2020-08-10 17:43:49 +00:00
|
|
|
// kubecontainer.State.
|
2019-01-12 04:58:27 +00:00
|
|
|
// This is only needed because we need to return sandboxes as if they were
|
|
|
|
// kubecontainer.Containers to avoid substantial changes to PLEG.
|
|
|
|
// TODO: Remove this once it becomes obsolete.
|
2020-08-10 17:43:49 +00:00
|
|
|
func SandboxToContainerState(state runtimeapi.PodSandboxState) State {
|
2019-01-12 04:58:27 +00:00
|
|
|
switch state {
|
|
|
|
case runtimeapi.PodSandboxState_SANDBOX_READY:
|
|
|
|
return ContainerStateRunning
|
|
|
|
case runtimeapi.PodSandboxState_SANDBOX_NOTREADY:
|
|
|
|
return ContainerStateExited
|
|
|
|
}
|
|
|
|
return ContainerStateUnknown
|
|
|
|
}
|
|
|
|
|
|
|
|
// FormatPod returns a string representing a pod in a human readable format,
|
|
|
|
// with pod UID as part of the string.
|
|
|
|
func FormatPod(pod *Pod) string {
|
|
|
|
// Use underscore as the delimiter because it is not allowed in pod name
|
|
|
|
// (DNS subdomain format), while allowed in the container name format.
|
|
|
|
return fmt.Sprintf("%s_%s(%s)", pod.Name, pod.Namespace, pod.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetContainerSpec gets the container spec by containerName.
|
|
|
|
func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {
|
2019-09-27 21:51:53 +00:00
|
|
|
var containerSpec *v1.Container
|
2020-08-10 17:43:49 +00:00
|
|
|
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(c *v1.Container, containerType podutil.ContainerType) bool {
|
2019-01-12 04:58:27 +00:00
|
|
|
if containerName == c.Name {
|
2019-09-27 21:51:53 +00:00
|
|
|
containerSpec = c
|
|
|
|
return false
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
2019-09-27 21:51:53 +00:00
|
|
|
return true
|
|
|
|
})
|
|
|
|
return containerSpec
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
|
|
|
|
func HasPrivilegedContainer(pod *v1.Pod) bool {
|
2019-09-27 21:51:53 +00:00
|
|
|
var hasPrivileged bool
|
2020-08-10 17:43:49 +00:00
|
|
|
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(c *v1.Container, containerType podutil.ContainerType) bool {
|
2019-09-27 21:51:53 +00:00
|
|
|
if c.SecurityContext != nil && c.SecurityContext.Privileged != nil && *c.SecurityContext.Privileged {
|
|
|
|
hasPrivileged = true
|
|
|
|
return false
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
2019-09-27 21:51:53 +00:00
|
|
|
return true
|
|
|
|
})
|
|
|
|
return hasPrivileged
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
2021-07-02 08:43:15 +00:00
|
|
|
// HasWindowsHostProcessContainer returns true if any of the containers in a pod are HostProcess containers.
|
|
|
|
func HasWindowsHostProcessContainer(pod *v1.Pod) bool {
|
|
|
|
var hasHostProcess bool
|
|
|
|
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(c *v1.Container, containerType podutil.ContainerType) bool {
|
|
|
|
if sc.HasWindowsHostProcessRequest(pod, c) {
|
|
|
|
hasHostProcess = true
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
})
|
|
|
|
|
|
|
|
return hasHostProcess
|
|
|
|
}
|
|
|
|
|
|
|
|
// AllContainersAreWindowsHostProcess returns true if all containres in a pod are HostProcess containers.
|
|
|
|
func AllContainersAreWindowsHostProcess(pod *v1.Pod) bool {
|
|
|
|
allHostProcess := true
|
|
|
|
podutil.VisitContainers(&pod.Spec, podutil.AllFeatureEnabledContainers(), func(c *v1.Container, containerType podutil.ContainerType) bool {
|
|
|
|
if !sc.HasWindowsHostProcessRequest(pod, c) {
|
|
|
|
allHostProcess = false
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
})
|
|
|
|
|
|
|
|
return allHostProcess
|
|
|
|
}
|
|
|
|
|
2019-01-12 04:58:27 +00:00
|
|
|
// MakePortMappings creates internal port mapping from api port mapping.
|
|
|
|
func MakePortMappings(container *v1.Container) (ports []PortMapping) {
|
|
|
|
names := make(map[string]struct{})
|
|
|
|
for _, p := range container.Ports {
|
|
|
|
pm := PortMapping{
|
|
|
|
HostPort: int(p.HostPort),
|
|
|
|
ContainerPort: int(p.ContainerPort),
|
|
|
|
Protocol: p.Protocol,
|
|
|
|
HostIP: p.HostIP,
|
|
|
|
}
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
// We need to determine the address family this entry applies to. We do this to ensure
|
|
|
|
// duplicate containerPort / protocol rules work across different address families.
|
|
|
|
// https://github.com/kubernetes/kubernetes/issues/82373
|
|
|
|
family := "any"
|
|
|
|
if p.HostIP != "" {
|
|
|
|
if utilsnet.IsIPv6String(p.HostIP) {
|
|
|
|
family = "v6"
|
|
|
|
} else {
|
|
|
|
family = "v4"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-12-01 01:06:26 +00:00
|
|
|
var name string = p.Name
|
|
|
|
if name == "" {
|
|
|
|
name = fmt.Sprintf("%s-%s-%s:%d:%d", family, p.Protocol, p.HostIP, p.ContainerPort, p.HostPort)
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
|
2019-12-12 01:27:03 +00:00
|
|
|
// Protect against a port name being used more than once in a container.
|
2020-12-01 01:06:26 +00:00
|
|
|
if _, ok := names[name]; ok {
|
2021-03-18 22:40:29 +00:00
|
|
|
klog.InfoS("Port name conflicted, it is defined more than once", "portName", name)
|
2019-01-12 04:58:27 +00:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
ports = append(ports, pm)
|
2020-12-01 01:06:26 +00:00
|
|
|
names[name] = struct{}{}
|
2019-01-12 04:58:27 +00:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|