From 8bc6e59278ab022efc37ab992b0fc35e5c731256 Mon Sep 17 00:00:00 2001 From: Pengfei Ni Date: Fri, 12 May 2017 15:41:15 +0800 Subject: [PATCH] kuberuntime: set sysctls for sandbox config --- pkg/kubelet/kuberuntime/BUILD | 1 + pkg/kubelet/kuberuntime/helpers.go | 19 +++++++++ pkg/kubelet/kuberuntime/helpers_test.go | 40 +++++++++++++++++++ .../kuberuntime/kuberuntime_sandbox.go | 20 +++++++--- 4 files changed, 75 insertions(+), 5 deletions(-) diff --git a/pkg/kubelet/kuberuntime/BUILD b/pkg/kubelet/kuberuntime/BUILD index f4d969f36f..5a78beb568 100644 --- a/pkg/kubelet/kuberuntime/BUILD +++ b/pkg/kubelet/kuberuntime/BUILD @@ -29,6 +29,7 @@ go_library( deps = [ "//pkg/api:go_default_library", "//pkg/api/v1:go_default_library", + "//pkg/api/v1/helper:go_default_library", "//pkg/api/v1/ref:go_default_library", "//pkg/credentialprovider:go_default_library", "//pkg/kubelet/apis/cri:go_default_library", diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go index e7d2df2c9c..df6a2953ea 100644 --- a/pkg/kubelet/kuberuntime/helpers.go +++ b/pkg/kubelet/kuberuntime/helpers.go @@ -24,6 +24,7 @@ import ( "github.com/golang/glog" "k8s.io/apimachinery/pkg/types" "k8s.io/kubernetes/pkg/api/v1" + v1helper "k8s.io/kubernetes/pkg/api/v1/helper" runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" ) @@ -236,3 +237,21 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim } return &kubecontainer.RuntimeStatus{Conditions: conditions} } + +// getSysctlsFromAnnotations gets sysctls and unsafeSysctls from annotations. +func getSysctlsFromAnnotations(annotations map[string]string) (map[string]string, error) { + apiSysctls, apiUnsafeSysctls, err := v1helper.SysctlsFromPodAnnotations(annotations) + if err != nil { + return nil, err + } + + sysctls := make(map[string]string) + for _, c := range apiSysctls { + sysctls[c.Name] = c.Value + } + for _, c := range apiUnsafeSysctls { + sysctls[c.Name] = c.Value + } + + return sysctls, nil +} diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go index 5297ef5e7c..5d8a8c3e40 100644 --- a/pkg/kubelet/kuberuntime/helpers_test.go +++ b/pkg/kubelet/kuberuntime/helpers_test.go @@ -46,3 +46,43 @@ func TestStableKey(t *testing.T) { newKey := getStableKey(pod, container) assert.NotEqual(t, oldKey, newKey) } + +// TestGetSystclsFromAnnotations tests the logic of getting sysctls from annotations. +func TestGetSystclsFromAnnotations(t *testing.T) { + tests := []struct { + annotations map[string]string + expectedSysctls map[string]string + }{{ + annotations: map[string]string{ + v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000", + v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000", + }, + expectedSysctls: map[string]string{ + "kernel.shmmni": "32768", + "kernel.shmmax": "1000000000", + "knet.ipv4.route.min_pmtu": "1000", + }, + }, { + annotations: map[string]string{ + v1.SysctlsPodAnnotationKey: "kernel.shmmni=32768,kernel.shmmax=1000000000", + }, + expectedSysctls: map[string]string{ + "kernel.shmmni": "32768", + "kernel.shmmax": "1000000000", + }, + }, { + annotations: map[string]string{ + v1.UnsafeSysctlsPodAnnotationKey: "knet.ipv4.route.min_pmtu=1000", + }, + expectedSysctls: map[string]string{ + "knet.ipv4.route.min_pmtu": "1000", + }, + }} + + for i, test := range tests { + actualSysctls, err := getSysctlsFromAnnotations(test.annotations) + assert.NoError(t, err, "TestCase[%d]", i) + assert.Len(t, actualSysctls, len(test.expectedSysctls), "TestCase[%d]", i) + assert.Equal(t, test.expectedSysctls, actualSysctls, "TestCase[%d]", i) + } +} diff --git a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go index 0f1e0a1f00..cef10110bd 100644 --- a/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go +++ b/pkg/kubelet/kuberuntime/kuberuntime_sandbox.go @@ -116,18 +116,22 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(pod *v1.Pod, attemp } } - - cgroupParent := m.runtimeHelper.GetPodCgroupParent(pod) - podSandboxConfig.Linux = m.generatePodSandboxLinuxConfig(pod, cgroupParent) if len(portMappings) > 0 { podSandboxConfig.PortMappings = portMappings } + lc, err := m.generatePodSandboxLinuxConfig(pod) + if err != nil { + return nil, err + } + podSandboxConfig.Linux = lc + return podSandboxConfig, nil } // generatePodSandboxLinuxConfig generates LinuxPodSandboxConfig from v1.Pod. -func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, cgroupParent string) *runtimeapi.LinuxPodSandboxConfig { +func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod) (*runtimeapi.LinuxPodSandboxConfig, error) { + cgroupParent := m.runtimeHelper.GetPodCgroupParent(pod) lc := &runtimeapi.LinuxPodSandboxConfig{ CgroupParent: cgroupParent, SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{ @@ -135,6 +139,12 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c }, } + sysctls, err := getSysctlsFromAnnotations(pod.Annotations) + if err != nil { + return nil, fmt.Errorf("failed to get sysctls from annotations %v for pod %q: %v", pod.Annotations, format.Pod(pod), err) + } + lc.Sysctls = sysctls + if pod.Spec.SecurityContext != nil { sc := pod.Spec.SecurityContext if sc.RunAsUser != nil { @@ -167,7 +177,7 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c } } - return lc + return lc, nil } // getKubeletSandboxes lists all (or just the running) sandboxes managed by kubelet.