Split up create config handling of namespaces and security #4265
Conversation
openshift-ci-robot
added
the
do-not-merge/work-in-progress
openshift-ci-robot
added
the
size/XXL
|
|
||
| cgroup := cc.CgroupConfig{ | ||
| Cgroups: c.String("cgroups"), | ||
| Cgroupns: c.String("cgroupns"), |
There was a problem hiding this comment.
I'd prefer to put all namespace configuration together if we can
There was a problem hiding this comment.
Even if we do i'd still like proceessing of them to be separated so if a pod only shares a couple of namespaces, all fields don't have to be configured fully
|
I'm in the planning stages of related refactoring, so we might want to sync on this tomorrow |
|
Sgtm, i'm second half day PTO but on PST, maybe sync around watercooler? |
haircommander
force-pushed
the
infra-namespaces-submit
branch
7 times, most recently
from
6a1cddc to
700f004
Compare
haircommander
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
Alright, this PR as is is ready to be merged PTAL @mheon @baude @rhatdan @TomSweeneyRedHat @QiWang19 @jwhonce @vrothberg |
|
One thing I'd really like to do is have a unified, sane type for namespaces. Podman should probably allow |
|
@mheon the problem about that is where the options diverge. net has like a thousand options. We could create an interface for the shared ones, but we couldn't use that interface in a very generic way, so the added benefit is not clear to me |
|
☔ The latest upstream changes (presumably #4310) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@haircommander Could you rebase? |
haircommander
force-pushed
the
infra-namespaces-submit
branch
from
700f004 to
17d61fb
Compare
|
@rhatdan done |
|
LGTM |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, rhatdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
☔ The latest upstream changes (presumably #4374) made this pull request unmergeable. Please resolve the merge conflicts. |
haircommander
force-pushed
the
infra-namespaces-submit
branch
from
17d61fb to
f413c7f
Compare
|
rebased to resolve conflicts |
|
/lgtm |
openshift-ci-robot
added
do-not-merge/hold
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/retest |
|
/test images |
|
☔ The latest upstream changes (presumably #4447) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@haircommander needs a rebase. |
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function. This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. Signed-off-by: Peter Hunt <[email protected]>
haircommander
force-pushed
the
infra-namespaces-submit
branch
from
f413c7f to
dcf3c74
Compare
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
As it stands, createconfig is a huge struct. This works fine when the only caller is when we create a container with a fully created config. However, if we wish to share code for security and namespace configuration, a single large struct becomes unweildy, as well as difficult to configure with the single createConfigToOCISpec function.
This PR breaks up namespace and security configuration into their own structs, with the eventual goal of allowing the namespace/security fields to be configured by the pod create cli, and allow the infra container to share this with the pod's containers. This will solve many requests (#3837, #2957, #2808) of further customizing pod creation.
This is NOT DONE AT ALL. but, I am putting the beginnings here for people to tell me their thoughts about the design, approach etc. The next steps include: