add option for containerd non-root device usage flag

cmd/osm-controller/main.go

@@ -79,10 +79,11 @@ type options struct {
 	workerMetricsAddress     string
 
 	// Flags for configuring CRI
-	nodeInsecureRegistries        string
-	nodeRegistryMirrors           string
-	nodeRegistryCredentialsSecret string
-	nodeContainerdRegistryMirrors containerruntime.RegistryMirrorsFlags
+	nodeInsecureRegistries             string
+	nodeRegistryMirrors                string
+	nodeRegistryCredentialsSecret      string
+	nodeContainerdRegistryMirrors      containerruntime.RegistryMirrorsFlags
+	deviceOwnershipFromSecurityContext bool
 
 	// Flags for proxy
 	nodeHTTPProxy string
@@ -130,6 +131,7 @@ func main() {
 	flag.StringVar(&opt.nodeNoProxy, "node-no-proxy", ".svc,.cluster.local,localhost,127.0.0.1", "If set, it configures the 'NO_PROXY' environment variable on the nodes.")
 	flag.StringVar(&opt.nodeInsecureRegistries, "node-insecure-registries", "", "Comma separated list of registries which should be configured as insecure on the container runtime")
 	flag.StringVar(&opt.nodeRegistryMirrors, "node-registry-mirrors", "", "Comma separated list of Docker image mirrors")
+	flag.BoolVar(&opt.deviceOwnershipFromSecurityContext, "device-ownership-from-security-context", false, "Enable non-root device usage")
 
 	if opt.nodeContainerdRegistryMirrors == nil {
 		opt.nodeContainerdRegistryMirrors = containerruntime.RegistryMirrorsFlags{}
@@ -216,12 +218,13 @@ func main() {
 
 	// Build container-runtime configuration
 	containerRuntimeOpts := containerruntime.Opts{
-		ContainerRuntime:          opt.containerRuntime,
-		ContainerdRegistryMirrors: opt.nodeContainerdRegistryMirrors,
-		InsecureRegistries:        opt.nodeInsecureRegistries,
-		PauseImage:                opt.pauseImage,
-		RegistryMirrors:           opt.nodeRegistryMirrors,
-		RegistryCredentialsSecret: opt.nodeRegistryCredentialsSecret,
+		ContainerRuntime:                   opt.containerRuntime,
+		ContainerdRegistryMirrors:          opt.nodeContainerdRegistryMirrors,
+		InsecureRegistries:                 opt.nodeInsecureRegistries,
+		PauseImage:                         opt.pauseImage,
+		RegistryMirrors:                    opt.nodeRegistryMirrors,
+		RegistryCredentialsSecret:          opt.nodeRegistryCredentialsSecret,
+		DeviceOwnershipFromSecurityContext: opt.deviceOwnershipFromSecurityContext,
 	}
 	containerRuntimeConfig, err := containerruntime.BuildConfig(containerRuntimeOpts)
 	if err != nil {

pkg/containerruntime/config.go

@@ -30,13 +30,14 @@ import (
 )
 
 type Opts struct {
-	ContainerRuntime          string
-	ContainerdVersion         string
-	InsecureRegistries        string
-	RegistryMirrors           string
-	RegistryCredentialsSecret string
-	PauseImage                string
-	ContainerdRegistryMirrors RegistryMirrorsFlags
+	ContainerRuntime                   string
+	ContainerdVersion                  string
+	InsecureRegistries                 string
+	RegistryMirrors                    string
+	RegistryCredentialsSecret          string
+	PauseImage                         string
+	ContainerdRegistryMirrors          RegistryMirrorsFlags
+	DeviceOwnershipFromSecurityContext bool
 }
 
 type DockerCfgJSON struct {
@@ -98,6 +99,7 @@ func BuildConfig(opts Opts) (Config, error) {
 		withRegistryMirrors(opts.ContainerdRegistryMirrors),
 		withSandboxImage(opts.PauseImage),
 		withContainerdVersion(opts.ContainerdVersion),
+		withDeviceOwnershipFromSecurityContext(opts.DeviceOwnershipFromSecurityContext),
 	), nil
 }
 

pkg/containerruntime/containerd.go

@@ -23,11 +23,12 @@ import (
 )
 
 type Containerd struct {
-	insecureRegistries  []string
-	registryMirrors     map[string][]string
-	sandboxImage        string
-	registryCredentials map[string]AuthConfig
-	version             string
+	insecureRegistries                 []string
+	registryMirrors                    map[string][]string
+	sandboxImage                       string
+	registryCredentials                map[string]AuthConfig
+	version                            string
+	deviceOwnershipFromSecurityContext bool
 }
 
 func (eng *Containerd) ConfigFileName() string {
@@ -63,9 +64,10 @@ type containerdMetrics struct {
 }
 
 type containerdCRIPlugin struct {
-	Containerd   *containerdCRISettings `toml:"containerd"`
-	Registry     *containerdCRIRegistry `toml:"registry"`
-	SandboxImage string                 `toml:"sandbox_image,omitempty"`
+	Containerd                         *containerdCRISettings `toml:"containerd"`
+	Registry                           *containerdCRIRegistry `toml:"registry"`
+	SandboxImage                       string                 `toml:"sandbox_image,omitempty"`
+	DeviceOwnershipFromSecurityContext bool                   `toml:"device_ownership_from_security_context"`
 }
 
 type containerdCRISettings struct {
@@ -101,7 +103,8 @@ type containerdRegistryTLSConfig struct {
 
 func (eng *Containerd) Config() (string, error) {
 	criPlugin := containerdCRIPlugin{
-		SandboxImage: eng.sandboxImage,
+		SandboxImage:                       eng.sandboxImage,
+		DeviceOwnershipFromSecurityContext: eng.deviceOwnershipFromSecurityContext,
 		Containerd: &containerdCRISettings{
 			Runtimes: map[string]containerdCRIRuntime{
 				"runc": {

pkg/containerruntime/containerruntime.go

@@ -55,6 +55,12 @@ func withContainerdVersion(version string) Opt {
 	}
 }
 
+func withDeviceOwnershipFromSecurityContext(deviceOwnershipFromSecurityContext bool) Opt {
+	return func(cfg *Config) {
+		cfg.DeviceOwnershipFromSecurityContext = deviceOwnershipFromSecurityContext
+	}
+}
+
 func get(_ string, opts ...Opt) Config {
 	cfg := Config{}
 	cfg.Containerd = &Containerd{}
@@ -67,14 +73,15 @@ func get(_ string, opts ...Opt) Config {
 }
 
 type Config struct {
-	Containerd           *Containerd           `json:",omitempty"`
-	InsecureRegistries   []string              `json:",omitempty"`
-	RegistryMirrors      map[string][]string   `json:",omitempty"`
-	RegistryCredentials  map[string]AuthConfig `json:",omitempty"`
-	SandboxImage         string                `json:",omitempty"`
-	ContainerLogMaxFiles string                `json:",omitempty"`
-	ContainerLogMaxSize  string                `json:",omitempty"`
-	ContainerdVersion    string                `json:",omitempty"`
+	Containerd                         *Containerd           `json:",omitempty"`
+	InsecureRegistries                 []string              `json:",omitempty"`
+	RegistryMirrors                    map[string][]string   `json:",omitempty"`
+	RegistryCredentials                map[string]AuthConfig `json:",omitempty"`
+	SandboxImage                       string                `json:",omitempty"`
+	ContainerLogMaxFiles               string                `json:",omitempty"`
+	ContainerLogMaxSize                string                `json:",omitempty"`
+	ContainerdVersion                  string                `json:",omitempty"`
+	DeviceOwnershipFromSecurityContext bool                  `json:",omitempty"`
 }
 
 // AuthConfig is a COPY of github.com/containerd/containerd/pkg/cri/config.AuthConfig.
@@ -98,11 +105,12 @@ func (cfg Config) String() string {
 
 func (cfg Config) Engine() Engine {
 	containerd := &Containerd{
-		insecureRegistries:  cfg.InsecureRegistries,
-		registryMirrors:     cfg.RegistryMirrors,
-		sandboxImage:        cfg.SandboxImage,
-		registryCredentials: cfg.RegistryCredentials,
-		version:             cfg.ContainerdVersion,
+		insecureRegistries:                 cfg.InsecureRegistries,
+		registryMirrors:                    cfg.RegistryMirrors,
+		sandboxImage:                       cfg.SandboxImage,
+		registryCredentials:                cfg.RegistryCredentials,
+		version:                            cfg.ContainerdVersion,
+		deviceOwnershipFromSecurityContext: cfg.DeviceOwnershipFromSecurityContext,
 	}
 	return containerd
 }

pkg/controllers/osc/testdata/osc-flatcar-aws-containerd.yaml

@@ -592,6 +592,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-kubelet-configuration-containerd.yaml

@@ -632,6 +632,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-rhel-8.x-azure-containerd.yaml

@@ -675,6 +675,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-rhel-8.x-cloud-init-modules.yaml

@@ -666,6 +666,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-ubuntu-aws-containerd.yaml

@@ -638,6 +638,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-ubuntu-aws-dualstack-IPv6+IPv4.yaml

@@ -643,6 +643,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]

pkg/controllers/osc/testdata/osc-ubuntu-aws-dualstack.yaml

@@ -642,6 +642,7 @@ spec:
             [plugins]
             [plugins."io.containerd.grpc.v1.cri"]
             sandbox_image = "192.168.100.100:5000/kubernetes/pause:v3.1"
+            device_ownership_from_security_context = false
             [plugins."io.containerd.grpc.v1.cri".containerd]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]