kubelet: config: add userNamespaces.idsPerPod

IDsPerPod is the mapping length of subids for UserNS. The length must be multiple of 65536. Default: 65536 Implements kubernetes/enhancements PR 5020 (addendum to KEP-127) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Kubernetes-commit: 1592bfa4a81182ffb2ad599d600778e92564e3c0
2025-02-07 16:25:52 +09:00 · 2025-02-07 16:25:52 +09:00 · 9685938ad2
parent 64ed7a97e5
commit 9685938ad2
2 changed files with 45 additions and 0 deletions
--- a/config/v1beta1/types.go
+++ b/config/v1beta1/types.go
@ -924,6 +924,11 @@ type KubeletConfiguration struct {
 	// Default: false
 	// +optional
 	FailCgroupV1 *bool `json:"failCgroupV1,omitempty"`
+
+	// UserNamespaces contains User Namespace configurations.
+	// +featureGate=UserNamespaceSupport
+	// +optional
+	UserNamespaces *UserNamespaces `json:"userNamespaces,omitempty"`
 }

 type KubeletAuthorizationMode string
@ -1119,3 +1124,17 @@ type ExecEnvVar struct {
 	Name  string `json:"name"`
 	Value string `json:"value"`
 }
+
+// UserNamespaces contains User Namespace configurations.
+type UserNamespaces struct {
+	// IDsPerPod is the mapping length of UIDs and GIDs.
+	// The length must be a multiple of 65536, and must be less than 1<<32.
+	// On non-linux such as windows, only null / absent is allowed.
+	//
+	// Changing the value may require recreating all containers on the node.
+	//
+	// Default: 65536
+	// +featureGate=UserNamespaceSupport
+	// +optional
+	IDsPerPod *int64 `json:"idsPerPod,omitempty"`
+}
--- a/config/v1beta1/zz_generated.deepcopy.go
+++ b/config/v1beta1/zz_generated.deepcopy.go
@ -527,6 +527,11 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.UserNamespaces != nil {
+		in, out := &in.UserNamespaces, &out.UserNamespaces
+		*out = new(UserNamespaces)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }

@ -684,3 +689,24 @@ func (in *ShutdownGracePeriodByPodPriority) DeepCopy() *ShutdownGracePeriodByPod
 	in.DeepCopyInto(out)
 	return out
 }
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserNamespaces) DeepCopyInto(out *UserNamespaces) {
+	*out = *in
+	if in.IDsPerPod != nil {
+		in, out := &in.IDsPerPod, &out.IDsPerPod
+		*out = new(int64)
+		**out = **in
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserNamespaces.
+func (in *UserNamespaces) DeepCopy() *UserNamespaces {
+	if in == nil {
+		return nil
+	}
+	out := new(UserNamespaces)
+	in.DeepCopyInto(out)
+	return out
+}