kubernetes: VisitContainers called from *InUse methods is not safe
What happened:
In 1.16, #59416 modified the VisitContainers() helper method to conditionally iterate over the EphemeralContainers field, based on whether the EphemeralContainers feature gate was enabled.
This method is called in pkg/api/pod/util.go to:
- determine if any containers are using a particular alpha field
- clear a particular alpha field in all containers
On update, if the existing pod has ephemeral containers, the new pod is permitted to specify those ephemeral containers as well, even if the feature is currently disabled (this avoids data loss on API object update).
That means that when the ephemeral feature is not enabled:
- an existing pod that is using a particular feature in an ephemeral container may not be detected correctly
- alpha fields might not be cleared correctly in the ephemeral containers in the pod
- node authorizer will not recognize secrets/configmaps in envFrom in ephemeral containers in existing pods, so kubelets will not be authorized to fetch those secrets/configmaps
The caller needs to indicate whether they want to iterate over all containers or just ones that are feature-enabled
/cc @verb
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 23 (23 by maintainers)
this has an active PR in progress in https://github.com/kubernetes/kubernetes/pull/87865
code freeze is EOD today
/milestone v1.18
@gianarb This is still intended for 1.18. #87865 resolves this issue and has lgtm.
/cc @tedyu
@gianarb ack, please leave it in 1.18. If there’s not movement on the blocking issue soon I’ll reopen the PR that fixes it without the blocker.
@smourapina This is blocked on #82192. This is trivial to fix if #82192 lands, but I think it’s a high risk of slipping.
@smourapina Yes, please keep it in 1.17. I will look at it more today.