CRI: using typed filed for sysctls #41766
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
size/XXL
|
@k8s-bot unit test this |
|
Ready for review. cc @yujuhong @timstclair @kubernetes/sig-node-pr-reviews |
|
@k8s-bot unit test this |
|
i took a pass, and this looks pretty good to me, assigning @yujuhong for final review |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
k8s-github-robot
added
the
needs-rebase
|
Rebased. @yujuhong @derekwaynecarr PTAL. |
k8s-github-robot
removed
the
needs-rebase
|
@k8s-bot cvm gce e2e test this |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
/assign @timstclair @yujuhong |
|
Rebased. @timstclair @yujuhong PTAL. |
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
Rebased. ping @yujuhong @timstclair |
|
/assign @Random-Liu |
| // List of safe sysctls which are set for the sandbox. | ||
| map<string, string> sysctls = 1; | ||
| // List of unsafe sysctls which are set for the sandbox. | ||
| map<string, string> unsafe_sysctls = 2; |
There was a problem hiding this comment.
Why have a separate field for unsafe_sysctls? IIUC, the distinction is just so that the Kubelet can perform extra validation. Since it's already been validated by the time it's passed to the CRI, shouldn't we just take a single list of sysctls to set here?
There was a problem hiding this comment.
I agree with @timstclair. kubelet will make the judgement call about what type of sysctls can be set given the kubelet configuration. Whatever kubelet decides to pass to the runtime, the runtime should simply try to apply them. Let's remove the safe/unsafe distinction in CRI.
There was a problem hiding this comment.
I am not sure what sysctls are namespaced, but it seems the namespaces of the ones we support (mostly .net) are shared among containers in the pod. In the future, if that's not the case, we'll have to make sure they are set for individual containers as well. Since unsafe ones are only experimental, I think it's okay for now.
There was a problem hiding this comment.
ACK. Will merge them into one.
| if len(portMappings) > 0 { | ||
| podSandboxConfig.PortMappings = portMappings | ||
| } | ||
|
|
||
| cgroupParent := m.runtimeHelper.GetPodCgroupParent(pod) |
There was a problem hiding this comment.
cgroupParent is not used anywhere in this function. We can move it to geneartePodSandboxLinuxConfig()
| // List of safe sysctls which are set for the sandbox. | ||
| map<string, string> sysctls = 1; | ||
| // List of unsafe sysctls which are set for the sandbox. | ||
| map<string, string> unsafe_sysctls = 2; |
There was a problem hiding this comment.
I agree with @timstclair. kubelet will make the judgement call about what type of sysctls can be set given the kubelet configuration. Whatever kubelet decides to pass to the runtime, the runtime should simply try to apply them. Let's remove the safe/unsafe distinction in CRI.
| // List of safe sysctls which are set for the sandbox. | ||
| map<string, string> sysctls = 1; | ||
| // List of unsafe sysctls which are set for the sandbox. | ||
| map<string, string> unsafe_sysctls = 2; |
There was a problem hiding this comment.
I am not sure what sysctls are namespaced, but it seems the namespaces of the ones we support (mostly .net) are shared among containers in the pod. In the future, if that's not the case, we'll have to make sure they are set for individual containers as well. Since unsafe ones are only experimental, I think it's okay for now.
k8s-github-robot
added
size/XL
|
@timstclair @yujuhong Addressed comments. PTAL. |
|
/approve LGTM, but not applying labels to give @timstclair a chance to respond. |
k8s-github-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
removed
lgtm
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
|
@yujuhong @timstclair Rebased. PTAL. |
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: feiskyer, timstclair, yujuhong
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 45826, 45747, 45548, 45606, 41766) |
What this PR does / why we need it:
CRI supports sysctls via annotations today, we should move them to typed and structured fields instead. (refer here)
Which issue this PR fixes
Part of #39130.
Release note: