diff --git a/libpod/kube.go b/libpod/kube.go index 76433e67f4..d8e08d7273 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -765,7 +765,17 @@ func simplePodWithV1Containers(ctx context.Context, ctrs []*Container, getServic if !podmanOnly && define.IsReservedAnnotation(k) { continue } - kubeAnnotations[fmt.Sprintf("%s/%s", k, removeUnderscores(ctr.Name()))] = v + // Certain annotations should be applied to the whole pod. + // For others, add container name as a suffix. + // For annotations such as this, error if already set. + if k == define.UserNsAnnotation { + if oldV, ok := kubeAnnotations[k]; ok && oldV != v { + return nil, fmt.Errorf("two or more containers have differing user namespace configuration, cannot place in same Kubernetes pod: %w", define.ErrInvalidArg) + } + kubeAnnotations[k] = v + } else { + kubeAnnotations[fmt.Sprintf("%s/%s", k, removeUnderscores(ctr.Name()))] = v + } } // Convert auto-update labels into kube annotations diff --git a/test/e2e/generate_kube_test.go b/test/e2e/generate_kube_test.go index 4af76aa480..b654a938d5 100644 --- a/test/e2e/generate_kube_test.go +++ b/test/e2e/generate_kube_test.go @@ -1025,6 +1025,27 @@ var _ = Describe("Podman kube generate", func() { Expect(kube).Should(ExitCleanly()) }) + It("multiple containers with same user namespace configuration", func() { + name1 := "c1" + name2 := "c2" + _ = podmanTest.PodmanExitCleanly("run", "--userns", "auto:size=30", "-dt", "--name", name1, ALPINE, "top") + _ = podmanTest.PodmanExitCleanly("run", "--userns", "auto:size=30", "-dt", "--name", name2, ALPINE, "top") + + gen := podmanTest.PodmanExitCleanly("kube", "generate", name1, name2) + Expect(gen.OutputToString()).To(ContainSubstring("io.podman.annotations.userns: auto:size=10")) + }) + + It("multiple containers with differing user namespace configuration", func() { + name1 := "c1" + name2 := "c2" + _ = podmanTest.PodmanExitCleanly("run", "--userns", "auto:size=30", "-dt", "--name", name1, ALPINE, "top") + _ = podmanTest.PodmanExitCleanly("run", "--userns", "auto:size=40", "-dt", "--name", name2, ALPINE, "top") + + gen := podmanTest.Podman([]string{"kube", "generate", name1, name2}) + gen.WaitWithDefaultTimeout() + Expect(gen).Should(ExitWithError(125, "two or more containers have differing user namespace configuration, cannot place in same Kubernetes pod: invalid argument")) + }) + It("with containers in pods should fail", func() { pod1 := podmanTest.Podman([]string{"run", "-dt", "--pod", "new:pod1", "--name", "top1", CITEST_IMAGE, "top"}) pod1.WaitWithDefaultTimeout()