Add pod examples for user namespace support

userns-tests/default-standard.yaml

@@ -0,0 +1,15 @@
+# Pod without the userns annotation and without any feature that would cause
+# the user namespace support to be disable if available in the runtime.
+# User namespace should be used if available in the runtime.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: default-standard
+  namespace: default
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]

userns-tests/detault-special.yaml

@@ -0,0 +1,15 @@
+# Pod without the userns annotation and with special features that would cause
+# the user namespace support to be disabled.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: default-special
+  namespace: default
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]
+  hostNetwork: true

userns-tests/ipc/test-dev-shm.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-dev-shm
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "pod"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: reader
+    image: busybox
+    command: ["sh"]
+    args: ["-c", 'content=$(cat /dev/shm//foo.txt); if [[ "$content" != "bar" ]]; then exit 1; else exit 0; fi']
+  initContainers:
+  - name: writer
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "echo 'bar' > /dev/shm/foo.txt"]

userns-tests/ipc/test-empty-volume.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-empty-volume
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "pod"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: reader
+    image: busybox
+    command: ["sh"]
+    args: ["-c", 'content=$(cat /cache2/foo.txt); if [[ "$content" != "bar" ]]; then exit 1; else exit 0; fi']
+    volumeMounts:
+    - mountPath: /cache2
+      name: cache-volume
+  initContainers:
+  - name: writer
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "echo 'bar' > /cache1/foo.txt"]
+    volumeMounts:
+    - mountPath: /cache1
+      name: cache-volume
+  volumes:
+    - name: cache-volume
+      emptyDir: {}

userns-tests/ipc/test-shm.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-shm
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "pod"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: reader
+    image: mauriciovasquezbernal/sharedmemoryexample
+    command: ["bash"]
+    args: ["-c", 'content=$(/reader); if [[ "$content" != "bar" ]]; then exit 1; else exit 0; fi']
+  initContainers:
+  - name: writer
+    image: mauriciovasquezbernal/sharedmemoryexample
+    command: ["/writer"]
+    args: ["bar"]

userns-tests/node-special.yaml

@@ -0,0 +1,16 @@
+# Pod user with userns set to "node" mode and special features.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: node-special
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "node"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]
+  hostNetwork: true

userns-tests/node-standard.yaml

@@ -0,0 +1,15 @@
+# Pod user with userns set to "node" mode.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: node-standard
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "node"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]

userns-tests/pod-special.yaml

@@ -0,0 +1,17 @@
+# Pod user with userns set to "pod" mode and special features.
+# The pod creation will fail.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-special
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "pod"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]
+  hostNetwork: true

userns-tests/pod-standard.yaml

@@ -0,0 +1,16 @@
+# Pod user with userns set to "pod" mode. Pod creation would fail if userns
+# not supported by runtime.
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-standard
+  namespace: default
+  annotations:
+    alpha.kinvolk.io/userns: "pod"
+spec:
+  restartPolicy: Never
+  containers:
+  - name: container1
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]

userns-tests/volumes/pod-with-config-map.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-config-map
+  namespace: default
+data:
+  content: '"This is a ConfigMap"'
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-with-configmap
+  namespace: default
+spec:
+  securityContext:
+    # Uncomment the following lines to get different behaviours
+    #runAsUser: 1000
+    #runAsGroup: 3000
+    #fsGroup: 2000
+  restartPolicy: Never
+  containers:
+  - name: pod-with-configmap
+    image: busybox
+    command: ["sh"]
+    args: ["-c", "sleep infinity"]
+    volumeMounts:
+    - name: config-volume
+      mountPath: /etc/userns-cm/content
+  volumes:
+    - name: config-volume
+      configMap:
+        name: test-config-map
+        defaultMode: 0400