mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-20 01:23:48 +00:00
Clean up dockershim flags in the kubelet
Signed-off-by: cyclinder <qifeng.guo@daocloud.io> Co-authored-by: Ciprian Hacman <ciprian@hakman.dev> Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
This commit is contained in:
cyclinder
committed by
Ciprian Hacman
Ciprian Hacman
parent
03bcfab1a6
commit
07999dac70
@@ -173,142 +173,3 @@ func (a *appArmorAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
|
||||
Message: fmt.Sprintf("Cannot enforce AppArmor: %v", err),
|
||||
}
|
||||
}
|
||||
|
||||
// NewNoNewPrivsAdmitHandler returns a PodAdmitHandler which is used to evaluate
|
||||
// if a pod can be admitted from the perspective of NoNewPrivs.
|
||||
func NewNoNewPrivsAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
|
||||
return &noNewPrivsAdmitHandler{
|
||||
Runtime: runtime,
|
||||
}
|
||||
}
|
||||
|
||||
type noNewPrivsAdmitHandler struct {
|
||||
kubecontainer.Runtime
|
||||
}
|
||||
|
||||
func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
|
||||
// If the pod is already running or terminated, no need to recheck NoNewPrivs.
|
||||
if attrs.Pod.Status.Phase != v1.PodPending {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// If the containers in a pod do not require no-new-privs, admit it.
|
||||
if !noNewPrivsRequired(attrs.Pod) {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// Always admit runtimes except docker.
|
||||
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// Make sure docker api version is valid.
|
||||
rversion, err := a.Runtime.APIVersion()
|
||||
if err != nil {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "NoNewPrivs",
|
||||
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
|
||||
}
|
||||
}
|
||||
v, err := rversion.Compare("1.23.0")
|
||||
if err != nil {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "NoNewPrivs",
|
||||
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
|
||||
}
|
||||
}
|
||||
// If the version is less than 1.23 it will return -1 above.
|
||||
if v == -1 {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "NoNewPrivs",
|
||||
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
|
||||
}
|
||||
}
|
||||
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
func noNewPrivsRequired(pod *v1.Pod) bool {
|
||||
// Iterate over pod containers and check if we added no-new-privs.
|
||||
for _, c := range pod.Spec.Containers {
|
||||
if c.SecurityContext != nil && c.SecurityContext.AllowPrivilegeEscalation != nil && !*c.SecurityContext.AllowPrivilegeEscalation {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// NewProcMountAdmitHandler returns a PodAdmitHandler which is used to evaluate
|
||||
// if a pod can be admitted from the perspective of ProcMount.
|
||||
func NewProcMountAdmitHandler(runtime kubecontainer.Runtime) PodAdmitHandler {
|
||||
return &procMountAdmitHandler{
|
||||
Runtime: runtime,
|
||||
}
|
||||
}
|
||||
|
||||
type procMountAdmitHandler struct {
|
||||
kubecontainer.Runtime
|
||||
}
|
||||
|
||||
func (a *procMountAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult {
|
||||
// If the pod is already running or terminated, no need to recheck NoNewPrivs.
|
||||
if attrs.Pod.Status.Phase != v1.PodPending {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// If the containers in a pod only need the default ProcMountType, admit it.
|
||||
if procMountIsDefault(attrs.Pod) {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// Always admit runtimes except docker.
|
||||
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
// Make sure docker api version is valid.
|
||||
// Merged in https://github.com/moby/moby/pull/36644
|
||||
rversion, err := a.Runtime.APIVersion()
|
||||
if err != nil {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "ProcMount",
|
||||
Message: fmt.Sprintf("Cannot enforce ProcMount: %v", err),
|
||||
}
|
||||
}
|
||||
v, err := rversion.Compare("1.38.0")
|
||||
if err != nil {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "ProcMount",
|
||||
Message: fmt.Sprintf("Cannot enforce ProcMount: %v", err),
|
||||
}
|
||||
}
|
||||
// If the version is less than 1.38 it will return -1 above.
|
||||
if v == -1 {
|
||||
return PodAdmitResult{
|
||||
Admit: false,
|
||||
Reason: "ProcMount",
|
||||
Message: fmt.Sprintf("Cannot enforce ProcMount: docker runtime API version %q must be greater than or equal to 1.38", rversion.String()),
|
||||
}
|
||||
}
|
||||
|
||||
return PodAdmitResult{Admit: true}
|
||||
}
|
||||
|
||||
func procMountIsDefault(pod *v1.Pod) bool {
|
||||
// Iterate over pod containers and check if we are using the DefaultProcMountType
|
||||
// for all containers.
|
||||
for _, c := range pod.Spec.Containers {
|
||||
if c.SecurityContext != nil {
|
||||
if c.SecurityContext.ProcMount != nil && *c.SecurityContext.ProcMount != v1.DefaultProcMount {
|
||||
return false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user