Refactor v1alpha2 Linux namespace definitions (#826)

There are a handful of Linux namespaces (see https://man7.org/linux/man-pages/man7/namespaces.7.html). Containers can be configured to run inside the bounds of precreated namespaces. The original v1alpha2 API allowed users to specify a network namespace only, but we have already acquired a use-case for the PID namespace. This change refactors the v1alpha2 API (unreleased) to accommodate future namespace customization.
tinkerbell · Oct 25, 2023 · 029b5d6 · 029b5d6
2 parents e1e969b + 23df80e
commit 029b5d6
Show file tree

Hide file tree

Showing 8 changed files with 75 additions and 29 deletions.
diff --git a/api/v1alpha2/template.go b/api/v1alpha2/template.go
@@ -49,11 +49,9 @@ type Action struct {
 	// +optional
 	Volumes []Volume `json:"volumes,omitempty"`
 
-	// NetworkNamespace defines the network namespace to run the container in. This enables access
-	// to the host network namespace.
-	// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
+	// Namespace defines the Linux namespaces this container should execute in.
 	// +optional
-	NetworkNamespace *string `json:"networkNamespace,omitempty"`
+	Namespace *Namespace `json:"namespaces,omitempty"`
 }
 
 // Volume is a specification for mounting a volume in an action. Volumes take the form
@@ -71,6 +69,18 @@ type Action struct {
 // See https://docs.docker.com/storage/volumes/ for additional details.
 type Volume string
 
+// Namespace defines the Linux namespaces to use for the container.
+// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
+type Namespace struct {
+	// Network defines the network namespace.
+	// +optional
+	Network *string `json:"network,omitempty"`
+
+	// PID defines the PID namespace
+	// +optional
+	PID *int `json:"pid,omitempty"`
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:categories=tinkerbell,shortName=tpl
 // +kubebuilder:unservedversion

diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go
diff --git a/buf.lock b/buf.lock
@@ -4,4 +4,4 @@ deps:
   - remote: buf.build
     owner: googleapis
     repository: googleapis
-    commit: cc916c31859748a68fd229a3c8d7a2e8
+    commit: 28151c0d0a1641bf938a7672c500e01d
diff --git a/config/crd/bases/tinkerbell.org_hardware.yaml b/config/crd/bases/tinkerbell.org_hardware.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: hardware.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -421,7 +420,7 @@ spec:
                     description: NetworkInterface is the desired configuration for a particular network interface.
                     properties:
                       dhcp:
-                        description: DHCP is the basic network information for serving DHCP requests. Requires when DisbaleDHCP is false.
+                        description: DHCP is the basic network information for serving DHCP requests. Required when DisbaleDHCP is false.
                         properties:
                           gateway:
                             description: Gateway is the default gateway address to serve.

diff --git a/config/crd/bases/tinkerbell.org_osies.yaml b/config/crd/bases/tinkerbell.org_osies.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: osies.tinkerbell.org
 spec:
   group: tinkerbell.org

diff --git a/config/crd/bases/tinkerbell.org_templates.yaml b/config/crd/bases/tinkerbell.org_templates.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: templates.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -74,12 +73,13 @@ spec:
                     description: Action defines an individual action to be run on a target machine.
                     properties:
                       args:
-                        description: Args are a set of arguments to be passed to the container on launch.
+                        description: Args are a set of arguments to be passed to the command executed by the container on launch.
                         items:
                           type: string
                         type: array
                       cmd:
-                        description: Cmd defines the command to use when launching the image.
+                        description: Cmd defines the command to use when launching the image. It overrides the default command of the action. It must be a unix path to an executable program.
+                        pattern: ^(/[^/ ]*)+/?$
                         type: string
                       env:
                         additionalProperties:
@@ -92,9 +92,16 @@ spec:
                       name:
                         description: Name is a name for the action.
                         type: string
-                      networkNamespace:
-                        description: NetworkNamespace defines the network namespace to run the container in. This enables access to the host network namespace. See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-                        type: string
+                      namespaces:
+                        description: Namespace defines the Linux namespaces this container should execute in.
+                        properties:
+                          network:
+                            description: Network defines the network namespace.
+                            type: string
+                          pid:
+                            description: PID defines the PID namespace
+                            type: integer
+                        type: object
                       volumes:
                         description: Volumes defines the volumes to mount into the container.
                         items:

diff --git a/config/crd/bases/tinkerbell.org_workflows.yaml b/config/crd/bases/tinkerbell.org_workflows.yaml
@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: workflows.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -209,12 +208,13 @@ spec:
                         description: Rendered is the rendered action.
                         properties:
                           args:
-                            description: Args are a set of arguments to be passed to the container on launch.
+                            description: Args are a set of arguments to be passed to the command executed by the container on launch.
                             items:
                               type: string
                             type: array
                           cmd:
-                            description: Cmd defines the command to use when launching the image.
+                            description: Cmd defines the command to use when launching the image. It overrides the default command of the action. It must be a unix path to an executable program.
+                            pattern: ^(/[^/ ]*)+/?$
                             type: string
                           env:
                             additionalProperties:
@@ -227,9 +227,16 @@ spec:
                           name:
                             description: Name is a name for the action.
                             type: string
-                          networkNamespace:
-                            description: NetworkNamespace defines the network namespace to run the container in. This enables access to the host network namespace. See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-                            type: string
+                          namespaces:
+                            description: Namespace defines the Linux namespaces this container should execute in.
+                            properties:
+                              network:
+                                description: Network defines the network namespace.
+                                type: string
+                              pid:
+                                description: PID defines the PID namespace
+                                type: integer
+                            type: object
                           volumes:
                             description: Volumes defines the volumes to mount into the container.
                             items:

diff --git a/config/server-rbac/role.yaml b/config/server-rbac/role.yaml
@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: server-role
 rules:
   - apiGroups: