Add support for --pids-limit in podman kube play.

This commit adds new annotation called:

io.podman.annotations.pids-limit/$ctrname

This annotation is used to define the PIDsLimit for
a particular pod. It is also automatically defined
when newly added --pids-limit option is used.

Fixes: containers#24418

Signed-off-by: Jan Kaluza <[email protected]>

Author: Jan Kaluza

cmd/podman/kube/play.go

@@ -40,6 +40,7 @@ type playKubeOptionsWrapper struct {
 	BuildCLI       bool
 	annotations    []string
 	macs           []string
+	pidsLimit      int64
 }
 
 var (
@@ -176,6 +177,13 @@ func playFlags(cmd *cobra.Command) {
 	flags.BoolVar(&playOptions.UseLongAnnotations, noTruncFlagName, false, "Use annotations that are not truncated to the Kubernetes maximum length of 63 characters")
 	_ = flags.MarkHidden(noTruncFlagName)
 
+	pidsLimitFlagName := "pids-limit"
+	flags.Int64Var(
+		&playOptions.pidsLimit, pidsLimitFlagName, 0,
+		"Tune pods pids limit (set -1 for unlimited)",
+	)
+	_ = cmd.RegisterFlagCompletionFunc(pidsLimitFlagName, completion.AutocompleteNone)
+
 	if !registry.IsRemote() {
 		certDirFlagName := "cert-dir"
 		flags.StringVar(&playOptions.CertDir, certDirFlagName, "", "`Pathname` of a directory containing TLS certificates and keys")
@@ -237,6 +245,9 @@ func play(cmd *cobra.Command, args []string) error {
 			return err
 		}
 	}
+	if cmd.Flags().Changed("pids-limit") {
+		playOptions.PIDsLimit = &playOptions.pidsLimit
+	}
 	if playOptions.ContextDir != "" && playOptions.Build != types.OptionalBoolTrue {
 		return errors.New("--build must be specified when using --context-dir option")
 	}

docs/source/markdown/options/pids-limit.md

@@ -1,5 +1,5 @@
 ####> This option file is used in:
-####>   podman create, run, update
+####>   podman create, kube play, run, update
 ####> If file is edited, make sure the changes
 ####> are applicable to all of those.
 #### **--pids-limit**=*limit*

docs/source/markdown/podman-kube-play.1.md.in

@@ -55,6 +55,8 @@ by `podman kube play` to create them.
 
 Note: To customize the name of the infra container created during `podman kube play`, use the **io.podman.annotations.infra.name** annotation in the pod definition. This annotation is automatically set when generating a kube yaml from a pod that was created with the `--infra-name` flag set.
 
+Note: Use the **io.podman.annotations.pids-limit/$ctrname** annotation to configure the pod's pids limit.
+
 `Kubernetes PersistentVolumeClaims`
 
 A Kubernetes PersistentVolumeClaim represents a Podman named volume. Only the PersistentVolumeClaim name is required by Podman to create a volume. Kubernetes annotations can be used to make use of the available options for Podman volumes.
@@ -252,6 +254,8 @@ When no network option is specified and *host* network mode is not configured in
 
 This option conflicts with host added in the Kubernetes YAML.
 
+@@option pids-limit
+
 #### **--publish**=*[[ip:][hostPort]:]containerPort[/protocol]*
 
 Define or override a port definition in the YAML file.

libpod/define/annotations.go

@@ -169,6 +169,9 @@ const (
 	// KubeImageAutomountAnnotation
 	KubeImageAutomountAnnotation = "io.podman.annotations.kube.image.volumes.mount"
 
+	// PIDsLimitAnnotation is used to limit the number of PIDs
+	PIDsLimitAnnotation = "io.podman.annotations.pids-limit"
+
 	// TotalAnnotationSizeLimitB is the max length of annotations allowed by Kubernetes.
 	TotalAnnotationSizeLimitB int = 256 * (1 << 10) // 256 kB
 )

pkg/api/handlers/libpod/kube.go

@@ -123,6 +123,7 @@ func KubePlay(w http.ResponseWriter, r *http.Request) {
 		Userns           string            `schema:"userns"`
 		Wait             bool              `schema:"wait"`
 		Build            bool              `schema:"build"`
+		PIDsLimit        int64             `schema:"PIDsLimit"`
 	}{
 		TLSVerify: true,
 		Start:     true,
@@ -208,6 +209,9 @@ func KubePlay(w http.ResponseWriter, r *http.Request) {
 	if _, found := r.URL.Query()["start"]; found {
 		options.Start = types.NewOptionalBool(query.Start)
 	}
+	if _, found := r.URL.Query()["PIDsLimit"]; found {
+		options.PIDsLimit = &query.PIDsLimit
+	}
 	report, err := containerEngine.PlayKube(r.Context(), reader, options)
 	if err != nil {
 		utils.Error(w, http.StatusInternalServerError, fmt.Errorf("playing YAML file: %w", err))

pkg/bindings/kube/kube.go

@@ -49,6 +49,9 @@ func PlayWithBody(ctx context.Context, body io.Reader, options *PlayOptions) (*e
 	if options.Start != nil {
 		params.Set("start", strconv.FormatBool(options.GetStart()))
 	}
+	if options.PIDsLimit != nil {
+		params.Set("PIDsLimit", strconv.FormatInt(*options.PIDsLimit, 10))
+	}
 
 	// For the remote case, read any configMaps passed and append it to the main yaml content
 	if options.ConfigMaps != nil {

pkg/bindings/kube/types.go

@@ -63,6 +63,7 @@ type PlayOptions struct {
 	// Wait - indicates whether to return after having created the pods
 	Wait             *bool
 	ServiceContainer *bool
+	PIDsLimit        *int64
 }
 
 // ApplyOptions are optional options for applying kube YAML files to a k8s cluster

pkg/bindings/kube/types_play_options.go

@@ -81,6 +81,8 @@ type PlayKubeOptions struct {
 	Wait bool
 	// SystemContext - used when building the image
 	SystemContext *types.SystemContext
+	// Pids Limit
+	PIDsLimit *int64
 }
 
 // PlayKubePod represents a single pod and associated containers created by play kube

pkg/domain/entities/play.go

@@ -996,6 +996,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			VolumesFrom:        volumesFrom,
 			ImageVolumes:       automountImages,
 			UtsNSIsHost:        p.UtsNs.IsHost(),
+			PIDsLimit:          options.PIDsLimit,
 		}
 		specGen, err := kube.ToSpecGen(ctx, &specgenOpts)
 		if err != nil {
@@ -1087,6 +1088,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			VolumesFrom:        volumesFrom,
 			ImageVolumes:       automountImages,
 			UtsNSIsHost:        p.UtsNs.IsHost(),
+			PIDsLimit:          options.PIDsLimit,
 		}
 
 		if podYAML.Spec.TerminationGracePeriodSeconds != nil {

pkg/domain/infra/abi/play.go

@@ -75,6 +75,7 @@ func (ic *ContainerEngine) PlayKube(ctx context.Context, body io.Reader, opts en
 	options.WithPublishPorts(opts.PublishPorts)
 	options.WithPublishAllPorts(opts.PublishAllPorts)
 	options.WithNoTrunc(opts.UseLongAnnotations)
+	options.PIDsLimit = opts.PIDsLimit
 	return play.KubeWithBody(ic.ClientCtx, body, options)
 }
 

pkg/domain/infra/tunnel/kube.go

@@ -184,6 +184,8 @@ type CtrSpecGenOptions struct {
 	PodSecurityContext *v1.PodSecurityContext
 	// TerminationGracePeriodSeconds is the grace period given to a container to stop before being forcefully killed
 	TerminationGracePeriodSeconds *int64
+	// PIDsLimit
+	PIDsLimit *int64
 }
 
 func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error) {
@@ -361,6 +363,9 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 	if opts.PodInfraID != "" {
 		annotations[ann.SandboxID] = opts.PodInfraID
 	}
+	if opts.PIDsLimit != nil {
+		annotations[define.PIDsLimitAnnotation+"/"+opts.Container.Name] = strconv.FormatInt(*opts.PIDsLimit, 10)
+	}
 	s.Annotations = annotations
 
 	if containerCIDFile, ok := opts.Annotations[define.InspectAnnotationCIDFile+"/"+opts.Container.Name]; ok {
@@ -375,6 +380,20 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
 		s.Annotations[define.InspectAnnotationApparmor] = apparmor
 	}
 
+	if pidslimit, ok := annotations[define.PIDsLimitAnnotation+"/"+opts.Container.Name]; ok {
+		s.Annotations[define.PIDsLimitAnnotation] = pidslimit
+		pidslimitAsInt, err := strconv.ParseInt(pidslimit, 10, 0)
+		if err != nil {
+			return nil, err
+		}
+		if s.ResourceLimits == nil {
+			s.ResourceLimits = &spec.LinuxResources{}
+		}
+		s.ResourceLimits.Pids = &spec.LinuxPids{
+			Limit: pidslimitAsInt,
+		}
+	}
+
 	if label, ok := opts.Annotations[define.InspectAnnotationLabel+"/"+opts.Container.Name]; ok {
 		if label == "nested" {
 			s.ContainerSecurityConfig.LabelNested = &localTrue

pkg/specgen/generate/kube/kube.go

@@ -527,6 +527,10 @@ func FillOutSpecGen(s *specgen.SpecGenerator, c *entities.ContainerCreateOptions
 		s.Annotations[define.UserNsAnnotation] = c.UserNS
 	}
 
+	if c.PIDsLimit != nil {
+		s.Annotations[define.PIDsLimitAnnotation] = strconv.FormatInt(*c.PIDsLimit, 10)
+	}
+
 	if len(c.StorageOpts) > 0 {
 		opts := make(map[string]string, len(c.StorageOpts))
 		for _, opt := range c.StorageOpts {

pkg/specgenutil/specgen.go

@@ -6180,4 +6180,31 @@ spec:
 		Expect(execArr[len(execArr)-1]).To(Not(ContainSubstring(arr[len(arr)-1])))
 	})
 
+	It("test pids-limit annotation", func() {
+		ctrAnnotation := "io.podman.annotations.pids-limit/" + defaultCtrName
+		pod := getPod(withAnnotation(ctrAnnotation, "10"), withPodInitCtr(getCtr(withImage(CITEST_IMAGE), withCmd([]string{"printenv", "container"}), withInitCtr(), withName("init-test"))), withCtr(getCtr(withImage(CITEST_IMAGE), withCmd([]string{"top"}))))
+		err := generateKubeYaml("pod", pod, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		kube := podmanTest.Podman([]string{"kube", "play", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(ExitCleanly())
+
+		exec := podmanTest.PodmanExitCleanly("exec", "testPod-"+defaultCtrName, "cat", "/sys/fs/cgroup/pids.max")
+		Expect(exec.OutputToString()).To(Equal("10"))
+	})
+
+	It("test --pids-limit command line option", func() {
+		pod := getPod(withPodInitCtr(getCtr(withImage(CITEST_IMAGE), withCmd([]string{"printenv", "container"}), withInitCtr(), withName("init-test"))), withCtr(getCtr(withImage(CITEST_IMAGE), withCmd([]string{"top"}))))
+		err := generateKubeYaml("pod", pod, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		kube := podmanTest.Podman([]string{"kube", "play", kubeYaml, "--pids-limit", "10"})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).Should(ExitCleanly())
+
+		exec := podmanTest.PodmanExitCleanly("exec", "testPod-"+defaultCtrName, "cat", "/sys/fs/cgroup/pids.max")
+		Expect(exec.OutputToString()).To(Equal("10"))
+	})
+
 })