Add validation test for image volumes with user namespaces #1980

AutuSnow · 2026-01-27T14:58:53Z

What type of PR is this?

/kind feature

What this PR does / why we need it:

Verify that the CRI implementation can correctly handle the mount of image volume in the Pod with user namespace
Ensure that file ownership is correctly mapped through idmap mounts
Verify that the file in the image volume can be accessed in the container

Which issue(s) this PR fixes:

Fixes:
#1979 (comment)
containerd/containerd#12816

Special notes for your reviewer:

Does this PR introduce a user-facing change?

k8s-ci-robot · 2026-01-27T14:59:03Z

Welcome @AutuSnow!

It looks like this is your first PR to kubernetes-sigs/cri-tools 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/cri-tools has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

AutuSnow · 2026-01-27T14:59:29Z

/release-note-none

AutuSnow · 2026-01-27T14:59:54Z

/assign @rata

k8s-ci-robot · 2026-01-27T14:59:58Z

@AutuSnow: GitHub didn't allow me to assign the following users: rata.

Note that only kubernetes-sigs members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

Details

In response to this:

/assign @rata

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

rata

LGTM when tests are passing. But I'm not empowered on this repo :)

k8s-ci-robot · 2026-01-27T17:00:18Z

@rata: changing LGTM is restricted to collaborators

Details

In response to this:

LGTM when tests are passing. But I'm not empowered on this repo :)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

k8s-ci-robot · 2026-01-27T17:00:22Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: AutuSnow, rata
Once this PR has been reviewed and has the lgtm label, please assign random-liu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

AutuSnow · 2026-01-28T03:08:41Z

/retest

k8s-ci-robot · 2026-01-28T03:08:56Z

@AutuSnow: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

Details

In response to this:

/retest

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

AutuSnow · 2026-01-28T03:12:10Z

测试通过时，LGTM（看起来不错）。但我没有这个仓库的权限 :)

I didn't understand the reason for this test error

saschagrunert · 2026-01-28T07:58:24Z

critest fails:

  [FAILED] expected log "0:0" (stream="stdout") not found in logs [{timestamp:{wall:142613794 ext:63905127136 loc:<nil>} stream:stdout log:total 40
  } {timestamp:{wall:142647637 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 65534    65534        12288 Dec 24  2018 bin
  } {timestamp:{wall:142651124 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 65534    65534         4096 Dec 24  2018 dev
  } {timestamp:{wall:142652977 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    3 65534    65534         4096 Dec 24  2018 etc
  } {timestamp:{wall:142654731 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 64534    64534         4096 Dec 24  2018 home
  } {timestamp:{wall:142674708 ext:63905127136 loc:<nil>} stream:stdout log:drwx------    2 65534    65534         4096 Dec 24  2018 root
  } {timestamp:{wall:142678125 ext:63905127136 loc:<nil>} stream:stdout log:drwxrwxrwt    2 65534    65534         4096 Dec 24  2018 tmp
  } {timestamp:{wall:142680770 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    3 65534    65534         4096 Dec 24  2018 usr
  } {timestamp:{wall:142683545 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    4 65534    65534         4096 Dec 24  2018 var
  } {timestamp:{wall:142965385 ext:63905127136 loc:<nil>} stream:stdout log:65534:65534
  }]
  Expected
      <bool>: false
  to be true
  In [It] at: sigs.k8s.io/cri-tools/pkg/validate/container.go:672 @ 01/27/26 16:12:20.146
  < Exit [It] runtime should support image volumes with user namespaces - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:1028 @ 01/27/26 16:12:20.146 (4.385s)
  > Enter [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/framework/framework.go:50 @ 01/27/26 16:12:20.146
  < Exit [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/framework/framework.go:50 @ 01/27/26 16:12:20.146 (0s)
  > Enter [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:64 @ 01/27/26 16:12:20.146
  STEP: stop PodSandbox - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:66 @ 01/27/26 16:12:20.146
  STEP: delete PodSandbox - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:68 @ 01/27/26 16:12:20.313
  < Exit [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:64 @ 01/27/26 16:12:20.33 (184ms)
  << Timeline
------------------------------
+ TEST_RC=1
+ test 1 -ne 0
+ cat /var/lib/containerd-critest/containerd-cri.log

Summarizing 1 Failure:
  [FAIL] [k8s.io] Security Context UserNamespaces when Host idmap mount support is needed [It] runtime should support image volumes with user namespaces
  sigs.k8s.io/cri-tools/pkg/validate/container.go:672

Ran 109 of 114 Specs in 25.450 seconds
FAIL! -- 108 Passed | 1 Failed | 0 Pending | 5 Skipped

AutuSnow · 2026-01-28T08:34:25Z

标准不合格：

  [FAILED] expected log "0:0" (stream="stdout") not found in logs [{timestamp:{wall:142613794 ext:63905127136 loc:<nil>} stream:stdout log:total 40
  } {timestamp:{wall:142647637 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 65534    65534        12288 Dec 24  2018 bin
  } {timestamp:{wall:142651124 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 65534    65534         4096 Dec 24  2018 dev
  } {timestamp:{wall:142652977 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    3 65534    65534         4096 Dec 24  2018 etc
  } {timestamp:{wall:142654731 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    2 64534    64534         4096 Dec 24  2018 home
  } {timestamp:{wall:142674708 ext:63905127136 loc:<nil>} stream:stdout log:drwx------    2 65534    65534         4096 Dec 24  2018 root
  } {timestamp:{wall:142678125 ext:63905127136 loc:<nil>} stream:stdout log:drwxrwxrwt    2 65534    65534         4096 Dec 24  2018 tmp
  } {timestamp:{wall:142680770 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    3 65534    65534         4096 Dec 24  2018 usr
  } {timestamp:{wall:142683545 ext:63905127136 loc:<nil>} stream:stdout log:drwxr-xr-x    4 65534    65534         4096 Dec 24  2018 var
  } {timestamp:{wall:142965385 ext:63905127136 loc:<nil>} stream:stdout log:65534:65534
  }]
  Expected
      <bool>: false
  to be true
  In [It] at: sigs.k8s.io/cri-tools/pkg/validate/container.go:672 @ 01/27/26 16:12:20.146
  < Exit [It] runtime should support image volumes with user namespaces - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:1028 @ 01/27/26 16:12:20.146 (4.385s)
  > Enter [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/framework/framework.go:50 @ 01/27/26 16:12:20.146
  < Exit [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/framework/framework.go:50 @ 01/27/26 16:12:20.146 (0s)
  > Enter [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:64 @ 01/27/26 16:12:20.146
  STEP: stop PodSandbox - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:66 @ 01/27/26 16:12:20.146
  STEP: delete PodSandbox - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:68 @ 01/27/26 16:12:20.313
  < Exit [AfterEach] [k8s.io] Security Context - sigs.k8s.io/cri-tools/pkg/validate/security_context_linux.go:64 @ 01/27/26 16:12:20.33 (184ms)
  << Timeline
------------------------------
+ TEST_RC=1
+ test 1 -ne 0
+ cat /var/lib/containerd-critest/containerd-cri.log

Summarizing 1 Failure:
  [FAIL] [k8s.io] Security Context UserNamespaces when Host idmap mount support is needed [It] runtime should support image volumes with user namespaces
  sigs.k8s.io/cri-tools/pkg/validate/container.go:672

Ran 109 of 114 Specs in 25.450 seconds
FAIL! -- 108 Passed | 1 Failed | 0 Pending | 5 Skipped

Thank you very much for your tips

AutuSnow · 2026-01-28T12:04:28Z

@rata Can I click another approval? Otherwise, the test cannot run

rata · 2026-01-28T15:00:17Z

@saschagrunert can you help with running the tests again? I think I don't have permissions on this repo to do it myself

k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 27, 2026

k8s-ci-robot requested review from derekwaynecarr and klueska January 27, 2026 14:59

k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jan 27, 2026

k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jan 27, 2026

rata approved these changes Jan 27, 2026

View reviewed changes

Add validation test for image volumes with user namespaces

d413443

AutuSnow force-pushed the feat/validation_image_volumes branch from 4e798e2 to d413443 Compare January 28, 2026 11:30

Add validation test for image volumes with user namespaces #1980

Are you sure you want to change the base?

Add validation test for image volumes with user namespaces #1980

Conversation

AutuSnow commented Jan 27, 2026

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Uh oh!

k8s-ci-robot commented Jan 27, 2026

Uh oh!

AutuSnow commented Jan 27, 2026

Uh oh!

AutuSnow commented Jan 27, 2026

Uh oh!

k8s-ci-robot commented Jan 27, 2026

Uh oh!

rata left a comment

Choose a reason for hiding this comment

Uh oh!

k8s-ci-robot commented Jan 27, 2026

Uh oh!

k8s-ci-robot commented Jan 27, 2026

Uh oh!

AutuSnow commented Jan 28, 2026

Uh oh!

k8s-ci-robot commented Jan 28, 2026

Uh oh!

AutuSnow commented Jan 28, 2026

Uh oh!

saschagrunert commented Jan 28, 2026

Uh oh!

AutuSnow commented Jan 28, 2026

Uh oh!

AutuSnow commented Jan 28, 2026

Uh oh!

rata commented Jan 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants