Refactor v1alpha2 Linux namespace definitions

api/v1alpha2/template.go

@@ -49,11 +49,9 @@ type Action struct {
 	// +optional
 	Volumes []Volume `json:"volumes,omitempty"`
 
-	// NetworkNamespace defines the network namespace to run the container in. This enables access
-	// to the host network namespace.
-	// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
+	// Namespace defines the Linux namespaces this container should execute in.
 	// +optional
-	NetworkNamespace *string `json:"networkNamespace,omitempty"`
+	Namespace *Namespace `json:"namespaces,omitempty"`
 }
 
 // Volume is a specification for mounting a volume in an action. Volumes take the form
@@ -71,6 +69,18 @@ type Action struct {
 // See https://docs.docker.com/storage/volumes/ for additional details.
 type Volume string
 
+// Namespace defines the Linux namespaces to use for the container.
+// See https://man7.org/linux/man-pages/man7/namespaces.7.html.
+type Namespace struct {
+	// Network defines the network namespace.
+	// +optional
+	Network *string `json:"network,omitempty"`
+
+	// PID defines the PID namespace
+	// +optional
+	PID *int `json:"pid,omitempty"`
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:categories=tinkerbell,shortName=tpl
 // +kubebuilder:unservedversion

buf.lock

@@ -4,4 +4,4 @@ deps:
   - remote: buf.build
     owner: googleapis
     repository: googleapis
-    commit: cc916c31859748a68fd229a3c8d7a2e8
+    commit: 28151c0d0a1641bf938a7672c500e01d

config/crd/bases/tinkerbell.org_hardware.yaml

@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: hardware.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -421,7 +420,7 @@ spec:
                     description: NetworkInterface is the desired configuration for a particular network interface.
                     properties:
                       dhcp:
-                        description: DHCP is the basic network information for serving DHCP requests. Requires when DisbaleDHCP is false.
+                        description: DHCP is the basic network information for serving DHCP requests. Required when DisbaleDHCP is false.
                         properties:
                           gateway:
                             description: Gateway is the default gateway address to serve.

config/crd/bases/tinkerbell.org_osies.yaml

@@ -2,8 +2,7 @@
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: osies.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -33,13 +32,13 @@
     - name: v1alpha2
       schema:
         openAPIV3Schema:
           description: OSIE describes an Operating System Installation Environment. It is used by Tinkerbell to provision machines and should launch the Tink Worker component.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
               type: string
             kind:
               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
               type: string
             metadata:
               type: object

config/crd/bases/tinkerbell.org_templates.yaml

@@ -2,8 +2,7 @@
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: templates.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -28,10 +27,10 @@
           description: Template is the Schema for the Templates API.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
               type: string
             kind:
               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
               type: string
             metadata:
               type: object
@@ -56,30 +55,31 @@
     - name: v1alpha2
       schema:
         openAPIV3Schema:
           description: Template defines a set of actions to be run on a target machine. The template is rendered prior to execution where it is exposed to Hardware and user defined data. Most fields within the TemplateSpec may contain templates values excluding .TemplateSpec.Actions[].Name. See https://pkg.go.dev/text/template for more details.
           properties:
             apiVersion:
               description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
               type: string
             kind:
               description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
               type: string
             metadata:
               type: object
             spec:
               properties:
                 actions:
                   description: Actions defines the set of actions to be run on a target machine. Actions are run sequentially in the order they are specified. At least 1 action must be specified. Names of actions must be unique within a Template.
                   items:
                     description: Action defines an individual action to be run on a target machine.
                     properties:
                       args:
-                        description: Args are a set of arguments to be passed to the container on launch.
+                        description: Args are a set of arguments to be passed to the command executed by the container on launch.
                         items:
                           type: string
                         type: array
                       cmd:
-                        description: Cmd defines the command to use when launching the image.
+                        description: Cmd defines the command to use when launching the image. It overrides the default command of the action. It must be a unix path to an executable program.
+                        pattern: ^(/[^/ ]*)+/?$
                         type: string
                       env:
                         additionalProperties:
@@ -92,9 +92,16 @@
                       name:
                         description: Name is a name for the action.
                         type: string
-                      networkNamespace:
-                        description: NetworkNamespace defines the network namespace to run the container in. This enables access to the host network namespace. See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-                        type: string
+                      namespaces:
+                        description: Namespace defines the Linux namespaces this container should execute in.
+                        properties:
+                          network:
+                            description: Network defines the network namespace.
+                            type: string
+                          pid:
+                            description: PID defines the PID namespace
+                            type: integer
+                        type: object
                       volumes:
                         description: Volumes defines the volumes to mount into the container.
                         items:

config/crd/bases/tinkerbell.org_workflows.yaml

@@ -2,8 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
-  creationTimestamp: null
+    controller-gen.kubebuilder.io/version: v0.11.4
   name: workflows.tinkerbell.org
 spec:
   group: tinkerbell.org
@@ -209,12 +208,13 @@ spec:
                         description: Rendered is the rendered action.
                         properties:
                           args:
-                            description: Args are a set of arguments to be passed to the container on launch.
+                            description: Args are a set of arguments to be passed to the command executed by the container on launch.
                             items:
                               type: string
                             type: array
                           cmd:
-                            description: Cmd defines the command to use when launching the image.
+                            description: Cmd defines the command to use when launching the image. It overrides the default command of the action. It must be a unix path to an executable program.
+                            pattern: ^(/[^/ ]*)+/?$
                             type: string
                           env:
                             additionalProperties:
@@ -227,9 +227,16 @@ spec:
                           name:
                             description: Name is a name for the action.
                             type: string
-                          networkNamespace:
-                            description: NetworkNamespace defines the network namespace to run the container in. This enables access to the host network namespace. See https://man7.org/linux/man-pages/man7/namespaces.7.html.
-                            type: string
+                          namespaces:
+                            description: Namespace defines the Linux namespaces this container should execute in.
+                            properties:
+                              network:
+                                description: Network defines the network namespace.
+                                type: string
+                              pid:
+                                description: PID defines the PID namespace
+                                type: integer
+                            type: object
                           volumes:
                             description: Volumes defines the volumes to mount into the container.
                             items:

config/server-rbac/role.yaml

@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   name: server-role
 rules:
   - apiGroups: