Avoid setting Masked/ReadOnly paths when pod is privileged

In the recent PR on adding ProcMount, we introduced a regression when pods are privileged. This shows up in 18.06 docker with kubeadm in the kube-proxy container. The kube-proxy container is privilged, but we end up setting the `/proc/sys` to Read-Only which causes failures when running kube-proxy as a pod. This shows up as a failure when using sysctl to set various network things. Change-Id: Ic61c4c9c961843a4e064e783fab0b54350762a8d
2025-07-31 07:20:13 +00:00 · 2018-09-18 16:53:53 -04:00 · 2018-09-18 16:53:53 -04:00 · 02489f8988
commit 02489f8988
parent 9d8c9cc9fe
2 changed files with 25 additions and 2 deletions
--- a/pkg/kubelet/dockershim/security_context.go
+++ b/pkg/kubelet/dockershim/security_context.go
@ -137,8 +137,10 @@ func modifyHostConfig(sc *runtimeapi.LinuxContainerSecurityContext, hostConfig *
 		hostConfig.SecurityOpt = append(hostConfig.SecurityOpt, "no-new-privileges")
 	}

-	hostConfig.MaskedPaths = sc.MaskedPaths
-	hostConfig.ReadonlyPaths = sc.ReadonlyPaths
+	if !hostConfig.Privileged {
+		hostConfig.MaskedPaths = sc.MaskedPaths
+		hostConfig.ReadonlyPaths = sc.ReadonlyPaths
+	}

 	return nil
 }
--- a/pkg/kubelet/dockershim/security_context_test.go
+++ b/pkg/kubelet/dockershim/security_context_test.go
@ -110,11 +110,27 @@ func TestModifyContainerConfig(t *testing.T) {

 func TestModifyHostConfig(t *testing.T) {
 	setNetworkHC := &dockercontainer.HostConfig{}
+
+	// When we have Privileged pods, we do not need to use the
+	// Masked / Readonly paths.
 	setPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
 	setPrivSC.Privileged = true
+	setPrivSC.MaskedPaths = []string{"/hello/world/masked"}
+	setPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"}
 	setPrivHC := &dockercontainer.HostConfig{
 		Privileged: true,
 	}
+
+	unsetPrivSC := &runtimeapi.LinuxContainerSecurityContext{}
+	unsetPrivSC.Privileged = false
+	unsetPrivSC.MaskedPaths = []string{"/hello/world/masked"}
+	unsetPrivSC.ReadonlyPaths = []string{"/hello/world/readonly"}
+	unsetPrivHC := &dockercontainer.HostConfig{
+		Privileged:    false,
+		MaskedPaths:   []string{"/hello/world/masked"},
+		ReadonlyPaths: []string{"/hello/world/readonly"},
+	}
+
 	setCapsHC := &dockercontainer.HostConfig{
 		CapAdd:  []string{"addCapA", "addCapB"},
 		CapDrop: []string{"dropCapA", "dropCapB"},
@ -148,6 +164,11 @@ func TestModifyHostConfig(t *testing.T) {
 			sc:       setPrivSC,
 			expected: setPrivHC,
 		},
+		{
+			name:     "container.SecurityContext.NoPrivileges",
+			sc:       unsetPrivSC,
+			expected: unsetPrivHC,
+		},
 		{
 			name: "container.SecurityContext.Capabilities",
 			sc: &runtimeapi.LinuxContainerSecurityContext{