1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
From 68750fefd3df76b7b008ef7b18e8acd18d5c2f2e Mon Sep 17 00:00:00 2001
From: Joel Smith <joesmith@redhat.com>
Date: Thu, 14 May 2020 20:09:58 -0600
Subject: [PATCH] Include pod /etc/hosts in ephemeral storage calculation for
eviction
CVE: CVE-2020-8557
Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git branch:release-1.16]
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
src/import/pkg/kubelet/eviction/BUILD | 1 +
src/import/pkg/kubelet/eviction/eviction_manager.go | 7 ++++++-
src/import/pkg/kubelet/eviction/helpers.go | 9 ++++++++-
src/import/pkg/kubelet/kubelet.go | 3 ++-
src/import/pkg/kubelet/kubelet_pods.go | 7 ++++++-
src/import/pkg/kubelet/kubelet_test.go | 3 ++-
src/import/pkg/kubelet/runonce_test.go | 3 ++-
7 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/src/import/pkg/kubelet/eviction/BUILD b/src/import/pkg/kubelet/eviction/BUILD
index 2209b26d7d4..e8c2241e075 100644
--- a/src/import/pkg/kubelet/eviction/BUILD
+++ b/src/import/pkg/kubelet/eviction/BUILD
@@ -66,6 +66,7 @@ go_library(
"//staging/src/k8s.io/api/core/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+ "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/clock:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/tools/record:go_default_library",
diff --git a/src/import/pkg/kubelet/eviction/eviction_manager.go b/src/import/pkg/kubelet/eviction/eviction_manager.go
index 4ef2a89dce6..ca218cb942f 100644
--- a/src/import/pkg/kubelet/eviction/eviction_manager.go
+++ b/src/import/pkg/kubelet/eviction/eviction_manager.go
@@ -26,6 +26,7 @@ import (
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
+ "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/clock"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/tools/record"
@@ -90,6 +91,8 @@ type managerImpl struct {
thresholdNotifiers []ThresholdNotifier
// thresholdsLastUpdated is the last time the thresholdNotifiers were updated.
thresholdsLastUpdated time.Time
+ // etcHostsPath is a function that will get the etc-hosts file's path for a pod given its UID
+ etcHostsPath func(podUID types.UID) string
}
// ensure it implements the required interface
@@ -106,6 +109,7 @@ func NewManager(
recorder record.EventRecorder,
nodeRef *v1.ObjectReference,
clock clock.Clock,
+ etcHostsPath func(types.UID) string,
) (Manager, lifecycle.PodAdmitHandler) {
manager := &managerImpl{
clock: clock,
@@ -121,6 +125,7 @@ func NewManager(
thresholdsFirstObservedAt: thresholdsObservedAt{},
dedicatedImageFs: nil,
thresholdNotifiers: []ThresholdNotifier{},
+ etcHostsPath: etcHostsPath,
}
return manager, manager
}
@@ -503,7 +508,7 @@ func (m *managerImpl) podEphemeralStorageLimitEviction(podStats statsapi.PodStat
} else {
fsStatsSet = []fsStatsType{fsStatsRoot, fsStatsLogs, fsStatsLocalVolumeSource}
}
- podEphemeralUsage, err := podLocalEphemeralStorageUsage(podStats, pod, fsStatsSet)
+ podEphemeralUsage, err := podLocalEphemeralStorageUsage(podStats, pod, fsStatsSet, m.etcHostsPath(pod.UID))
if err != nil {
klog.Errorf("eviction manager: error getting pod disk usage %v", err)
return false
diff --git a/src/import/pkg/kubelet/eviction/helpers.go b/src/import/pkg/kubelet/eviction/helpers.go
index dfdb8ce3b60..41c55855aad 100644
--- a/src/import/pkg/kubelet/eviction/helpers.go
+++ b/src/import/pkg/kubelet/eviction/helpers.go
@@ -18,6 +18,7 @@ package eviction
import (
"fmt"
+ "os"
"sort"
"strconv"
"strings"
@@ -415,7 +416,7 @@ func localEphemeralVolumeNames(pod *v1.Pod) []string {
}
// podLocalEphemeralStorageUsage aggregates pod local ephemeral storage usage and inode consumption for the specified stats to measure.
-func podLocalEphemeralStorageUsage(podStats statsapi.PodStats, pod *v1.Pod, statsToMeasure []fsStatsType) (v1.ResourceList, error) {
+func podLocalEphemeralStorageUsage(podStats statsapi.PodStats, pod *v1.Pod, statsToMeasure []fsStatsType, etcHostsPath string) (v1.ResourceList, error) {
disk := resource.Quantity{Format: resource.BinarySI}
inodes := resource.Quantity{Format: resource.DecimalSI}
@@ -429,6 +430,12 @@ func podLocalEphemeralStorageUsage(podStats statsapi.PodStats, pod *v1.Pod, stat
disk.Add(podLocalVolumeUsageList[v1.ResourceEphemeralStorage])
inodes.Add(podLocalVolumeUsageList[resourceInodes])
}
+ if len(etcHostsPath) > 0 {
+ if stat, err := os.Stat(etcHostsPath); err == nil {
+ disk.Add(*resource.NewQuantity(int64(stat.Size()), resource.BinarySI))
+ inodes.Add(*resource.NewQuantity(int64(1), resource.DecimalSI))
+ }
+ }
return v1.ResourceList{
v1.ResourceEphemeralStorage: disk,
resourceInodes: inodes,
diff --git a/src/import/pkg/kubelet/kubelet.go b/src/import/pkg/kubelet/kubelet.go
index c2acd358e59..8da5d0f2e92 100644
--- a/src/import/pkg/kubelet/kubelet.go
+++ b/src/import/pkg/kubelet/kubelet.go
@@ -831,8 +831,9 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.backOff = flowcontrol.NewBackOff(backOffPeriod, MaxContainerBackOff)
klet.podKillingCh = make(chan *kubecontainer.PodPair, podKillingChannelCapacity)
+ etcHostsPathFunc := func(podUID types.UID) string { return getEtcHostsPath(klet.getPodDir(podUID)) }
// setup eviction manager
- evictionManager, evictionAdmitHandler := eviction.NewManager(klet.resourceAnalyzer, evictionConfig, killPodNow(klet.podWorkers, kubeDeps.Recorder), klet.podManager.GetMirrorPodByPod, klet.imageManager, klet.containerGC, kubeDeps.Recorder, nodeRef, klet.clock)
+ evictionManager, evictionAdmitHandler := eviction.NewManager(klet.resourceAnalyzer, evictionConfig, killPodNow(klet.podWorkers, kubeDeps.Recorder), klet.podManager.GetMirrorPodByPod, klet.imageManager, klet.containerGC, kubeDeps.Recorder, nodeRef, klet.clock, etcHostsPathFunc)
klet.evictionManager = evictionManager
klet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
diff --git a/src/import/pkg/kubelet/kubelet_pods.go b/src/import/pkg/kubelet/kubelet_pods.go
index 013d0f55aea..02857d4b5b3 100644
--- a/src/import/pkg/kubelet/kubelet_pods.go
+++ b/src/import/pkg/kubelet/kubelet_pods.go
@@ -291,10 +291,15 @@ func translateMountPropagation(mountMode *v1.MountPropagationMode) (runtimeapi.M
}
}
+// getEtcHostsPath returns the full host-side path to a pod's generated /etc/hosts file
+func getEtcHostsPath(podDir string) string {
+ return path.Join(podDir, "etc-hosts")
+}
+
// makeHostsMount makes the mountpoint for the hosts file that the containers
// in a pod are injected with.
func makeHostsMount(podDir, podIP, hostName, hostDomainName string, hostAliases []v1.HostAlias, useHostNetwork bool) (*kubecontainer.Mount, error) {
- hostsFilePath := path.Join(podDir, "etc-hosts")
+ hostsFilePath := getEtcHostsPath(podDir)
if err := ensureHostsFile(hostsFilePath, podIP, hostName, hostDomainName, hostAliases, useHostNetwork); err != nil {
return nil, err
}
diff --git a/src/import/pkg/kubelet/kubelet_test.go b/src/import/pkg/kubelet/kubelet_test.go
index 80c6dcb73b6..9fb417fbb9d 100644
--- a/src/import/pkg/kubelet/kubelet_test.go
+++ b/src/import/pkg/kubelet/kubelet_test.go
@@ -291,8 +291,9 @@ func newTestKubeletWithImageList(
UID: types.UID(kubelet.nodeName),
Namespace: "",
}
+ etcHostsPathFunc := func(podUID types.UID) string { return getEtcHostsPath(kubelet.getPodDir(podUID)) }
// setup eviction manager
- evictionManager, evictionAdmitHandler := eviction.NewManager(kubelet.resourceAnalyzer, eviction.Config{}, killPodNow(kubelet.podWorkers, fakeRecorder), kubelet.podManager.GetMirrorPodByPod, kubelet.imageManager, kubelet.containerGC, fakeRecorder, nodeRef, kubelet.clock)
+ evictionManager, evictionAdmitHandler := eviction.NewManager(kubelet.resourceAnalyzer, eviction.Config{}, killPodNow(kubelet.podWorkers, fakeRecorder), kubelet.podManager.GetMirrorPodByPod, kubelet.imageManager, kubelet.containerGC, fakeRecorder, nodeRef, kubelet.clock, etcHostsPathFunc)
kubelet.evictionManager = evictionManager
kubelet.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
diff --git a/src/import/pkg/kubelet/runonce_test.go b/src/import/pkg/kubelet/runonce_test.go
index 7239133e481..9b162c11702 100644
--- a/src/import/pkg/kubelet/runonce_test.go
+++ b/src/import/pkg/kubelet/runonce_test.go
@@ -125,7 +125,8 @@ func TestRunOnce(t *testing.T) {
return nil
}
fakeMirrodPodFunc := func(*v1.Pod) (*v1.Pod, bool) { return nil, false }
- evictionManager, evictionAdmitHandler := eviction.NewManager(kb.resourceAnalyzer, eviction.Config{}, fakeKillPodFunc, fakeMirrodPodFunc, nil, nil, kb.recorder, nodeRef, kb.clock)
+ etcHostsPathFunc := func(podUID types.UID) string { return getEtcHostsPath(kb.getPodDir(podUID)) }
+ evictionManager, evictionAdmitHandler := eviction.NewManager(kb.resourceAnalyzer, eviction.Config{}, fakeKillPodFunc, fakeMirrodPodFunc, nil, nil, kb.recorder, nodeRef, kb.clock, etcHostsPathFunc)
kb.evictionManager = evictionManager
kb.admitHandlers.AddPodAdmitHandler(evictionAdmitHandler)
--
2.17.0
|
