Startseite Erkunden Hilfe
Anmelden
tzeneto
/
custom-kube-scheduler
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: cb14858ef6
Branches Tags
custom-kube-...
/
kubernetes
/
pkg
/
kubelet
/
dockershim
/
helpers_windows.go

helpers_windows.go 6.4 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. // +build windows
    2. 

  2. 

  3. /*
    4. 

  4. Copyright 2015 The Kubernetes Authors.
    5. 

  5. 

  6. Licensed under the Apache License, Version 2.0 (the "License");
    7. 

  7. you may not use this file except in compliance with the License.
    8. 

  8. You may obtain a copy of the License at
    9. 

  9. 

  10.     http://www.apache.org/licenses/LICENSE-2.0
    11. 

  11. 

  12. Unless required by applicable law or agreed to in writing, software
    13. 

  13. distributed under the License is distributed on an "AS IS" BASIS,
    14. 

  14. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15. 

  15. See the License for the specific language governing permissions and
    16. 

  16. limitations under the License.
    17. 

  17. */
    18. 

  18. 

  19. package dockershim
    20. 

  20. 

  21. import (
    22. 

  22. 	"os"
    23. 

  23. 

  24. 	"github.com/blang/semver"
    25. 

  25. 	dockertypes "github.com/docker/docker/api/types"
    26. 

  26. 	dockercontainer "github.com/docker/docker/api/types/container"
    27. 

  27. 	dockerfilters "github.com/docker/docker/api/types/filters"
    28. 

  28. 	"k8s.io/klog"
    29. 

  29. 

  30. 	runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
    31. 

  31. 	kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
    32. 

  32. )
    33. 

  33. 

  34. func DefaultMemorySwap() int64 {
    35. 

  35. 	return 0
    36. 

  36. }
    37. 

  37. 

  38. func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune) ([]string, error) {
    39. 

  39. 	if seccompProfile != "" {
    40. 

  40. 		klog.Warningf("seccomp annotations are not supported on windows")
    41. 

  41. 	}
    42. 

  42. 	return nil, nil
    43. 

  43. }
    44. 

  44. 

  45. // applyExperimentalCreateConfig applys experimental configures from sandbox annotations.
    46. 

  46. func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) {
    47. 

  47. 	if kubeletapis.ShouldIsolatedByHyperV(annotations) {
    48. 

  48. 		createConfig.HostConfig.Isolation = kubeletapis.HypervIsolationValue
    49. 

  49. 

  50. 		if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode == "" {
    51. 

  51. 			createConfig.HostConfig.NetworkMode = dockercontainer.NetworkMode("none")
    52. 

  52. 		}
    53. 

  53. 	}
    54. 

  54. }
    55. 

  55. 

  56. func (ds *dockerService) updateCreateConfig(
    57. 

  57. 	createConfig *dockertypes.ContainerCreateConfig,
    58. 

  58. 	config *runtimeapi.ContainerConfig,
    59. 

  59. 	sandboxConfig *runtimeapi.PodSandboxConfig,
    60. 

  60. 	podSandboxID string, securityOptSep rune, apiVersion *semver.Version) error {
    61. 

  61. 	if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode != "" {
    62. 

  62. 		createConfig.HostConfig.NetworkMode = dockercontainer.NetworkMode(networkMode)
    63. 

  63. 	} else if !kubeletapis.ShouldIsolatedByHyperV(sandboxConfig.Annotations) {
    64. 

  64. 		// Todo: Refactor this call in future for calling methods directly in security_context.go
    65. 

  65. 		modifyHostOptionsForContainer(nil, podSandboxID, createConfig.HostConfig)
    66. 

  66. 	}
    67. 

  67. 

  68. 	// Apply Windows-specific options if applicable.
    69. 

  69. 	if wc := config.GetWindows(); wc != nil {
    70. 

  70. 		rOpts := wc.GetResources()
    71. 

  71. 		if rOpts != nil {
    72. 

  72. 			createConfig.HostConfig.Resources = dockercontainer.Resources{
    73. 

  73. 				Memory:     rOpts.MemoryLimitInBytes,
    74. 

  74. 				CPUShares:  rOpts.CpuShares,
    75. 

  75. 				CPUCount:   rOpts.CpuCount,
    76. 

  76. 				CPUPercent: rOpts.CpuMaximum,
    77. 

  77. 			}
    78. 

  78. 		}
    79. 

  79. 

  80. 		// Apply security context.
    81. 

  81. 		applyWindowsContainerSecurityContext(wc.GetSecurityContext(), createConfig.Config, createConfig.HostConfig)
    82. 

  82. 	}
    83. 

  83. 

  84. 	applyExperimentalCreateConfig(createConfig, sandboxConfig.Annotations)
    85. 

  85. 

  86. 	return nil
    87. 

  87. }
    88. 

  88. 

  89. // applyWindowsContainerSecurityContext updates docker container options according to security context.
    90. 

  90. func applyWindowsContainerSecurityContext(wsc *runtimeapi.WindowsContainerSecurityContext, config *dockercontainer.Config, hc *dockercontainer.HostConfig) {
    91. 

  91. 	if wsc == nil {
    92. 

  92. 		return
    93. 

  93. 	}
    94. 

  94. 

  95. 	if wsc.GetRunAsUsername() != "" {
    96. 

  96. 		config.User = wsc.GetRunAsUsername()
    97. 

  97. 	}
    98. 

  98. }
    99. 

  99. 

  100. func (ds *dockerService) determinePodIPBySandboxID(sandboxID string) []string {
    101. 

  101. 	opts := dockertypes.ContainerListOptions{
    102. 

  102. 		All:     true,
    103. 

  103. 		Filters: dockerfilters.NewArgs(),
    104. 

  104. 	}
    105. 

  105. 

  106. 	f := newDockerFilter(&opts.Filters)
    107. 

  107. 	f.AddLabel(containerTypeLabelKey, containerTypeLabelContainer)
    108. 

  108. 	f.AddLabel(sandboxIDLabelKey, sandboxID)
    109. 

  109. 	containers, err := ds.client.ListContainers(opts)
    110. 

  110. 	if err != nil {
    111. 

  111. 		return nil
    112. 

  112. 	}
    113. 

  113. 

  114. 	for _, c := range containers {
    115. 

  115. 		r, err := ds.client.InspectContainer(c.ID)
    116. 

  116. 		if err != nil {
    117. 

  117. 			continue
    118. 

  118. 		}
    119. 

  119. 

  120. 		// Versions and feature support
    121. 

  121. 		// ============================
    122. 

  122. 		// Windows version == Windows Server, Version 1709, Supports both sandbox and non-sandbox case
    123. 

  123. 		// Windows version == Windows Server 2016   Support only non-sandbox case
    124. 

  124. 		// Windows version < Windows Server 2016 is Not Supported
    125. 

  125. 

  126. 		// Sandbox support in Windows mandates CNI Plugin.
    127. 

  127. 		// Presence of CONTAINER_NETWORK flag is considered as non-Sandbox cases here
    128. 

  128. 

  129. 		// Todo: Add a kernel version check for more validation
    130. 

  130. 

  131. 		if networkMode := os.Getenv("CONTAINER_NETWORK"); networkMode == "" {
    132. 

  132. 			// On Windows, every container that is created in a Sandbox, needs to invoke CNI plugin again for adding the Network,
    133. 

  133. 			// with the shared container name as NetNS info,
    134. 

  134. 			// This is passed down to the platform to replicate some necessary information to the new container
    135. 

  135. 

  136. 			//
    137. 

  137. 			// This place is chosen as a hack for now, since ds.getIP would end up calling CNI's addToNetwork
    138. 

  138. 			// That is why addToNetwork is required to be idempotent
    139. 

  139. 

  140. 			// Instead of relying on this call, an explicit call to addToNetwork should be
    141. 

  141. 			// done immediately after ContainerCreation, in case of Windows only. TBD Issue # to handle this
    142. 

  142. 

  143. 			if r.HostConfig.Isolation == kubeletapis.HypervIsolationValue {
    144. 

  144. 				// Hyper-V only supports one container per Pod yet and the container will have a different
    145. 

  145. 				// IP address from sandbox. Return the first non-sandbox container IP as POD IP.
    146. 

  146. 				// TODO(feiskyer): remove this workaround after Hyper-V supports multiple containers per Pod.
    147. 

  147. 				if containerIPs := ds.getIPs(c.ID, r); len(containerIPs) != 0 {
    148. 

  148. 					return containerIPs
    149. 

  149. 				}
    150. 

  150. 			} else {
    151. 

  151. 				// Do not return any IP, so that we would continue and get the IP of the Sandbox.
    152. 

  152. 				// Windows 1709 and 1803 doesn't have the Namespace support, so getIP() is called
    153. 

  153. 				// to replicate the DNS registry key to the Workload container (IP/Gateway/MAC is
    154. 

  154. 				// set separately than DNS).
    155. 

  155. 				// TODO(feiskyer): remove this workaround after Namespace is supported in Windows RS5.
    156. 

  156. 				ds.getIPs(sandboxID, r)
    157. 

  157. 			}
    158. 

  158. 		} else {
    159. 

  159. 			// ds.getIP will call the CNI plugin to fetch the IP
    160. 

  160. 			if containerIPs := ds.getIPs(c.ID, r); len(containerIPs) != 0 {
    161. 

  161. 				return containerIPs
    162. 

  162. 			}
    163. 

  163. 		}
    164. 

  164. 	}
    165. 

  165. 

  166. 	return nil
    167. 

  167. }
    168. 

  168. 

  169. func getNetworkNamespace(c *dockertypes.ContainerJSON) (string, error) {
    170. 

  170. 	// Currently in windows there is no identifier exposed for network namespace
    171. 

  171. 	// Like docker, the referenced container id is used to figure out the network namespace id internally by the platform
    172. 

  172. 	// so returning the docker networkMode (which holds container:<ref containerid> for network namespace here
    173. 

  173. 	return string(c.HostConfig.NetworkMode), nil
    174. 

  174. }
    175. 

  175.