Fix pod sandbox privilege.

Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2018-01-29 18:55:40 +00:00
parent 03b3d599fe
commit 18a0e80a33
2 changed files with 15 additions and 1 deletions

View File

@ -302,7 +302,7 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {
// HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
func HasPrivilegedContainer(pod *v1.Pod) bool {
for _, c := range pod.Spec.Containers {
for _, c := range append(pod.Spec.Containers, pod.Spec.InitContainers...) {
if c.SecurityContext != nil &&
c.SecurityContext.Privileged != nil &&
*c.SecurityContext.Privileged {

View File

@ -254,6 +254,20 @@ func TestHasPrivilegedContainer(t *testing.T) {
t.Errorf("%s expected %t but got %t", k, v.expected, actual)
}
}
// Test init containers as well.
for k, v := range tests {
pod := &v1.Pod{
Spec: v1.PodSpec{
InitContainers: []v1.Container{
{SecurityContext: v.securityContext},
},
},
}
actual := HasPrivilegedContainer(pod)
if actual != v.expected {
t.Errorf("%s expected %t but got %t", k, v.expected, actual)
}
}
}
func TestMakePortMappings(t *testing.T) {