From 18a0e80a336fa8519edfd47b9516d6815ff0afd6 Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Mon, 29 Jan 2018 18:55:40 +0000
Subject: [PATCH] Fix pod sandbox privilege.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 pkg/kubelet/container/helpers.go      |  2 +-
 pkg/kubelet/container/helpers_test.go | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/pkg/kubelet/container/helpers.go b/pkg/kubelet/container/helpers.go
index 32dbc745b30..cc3f1881131 100644
--- a/pkg/kubelet/container/helpers.go
+++ b/pkg/kubelet/container/helpers.go
@@ -302,7 +302,7 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {
 
 // HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
 func HasPrivilegedContainer(pod *v1.Pod) bool {
-	for _, c := range pod.Spec.Containers {
+	for _, c := range append(pod.Spec.Containers, pod.Spec.InitContainers...) {
 		if c.SecurityContext != nil &&
 			c.SecurityContext.Privileged != nil &&
 			*c.SecurityContext.Privileged {
diff --git a/pkg/kubelet/container/helpers_test.go b/pkg/kubelet/container/helpers_test.go
index f907e83e825..14d9d6e6c8c 100644
--- a/pkg/kubelet/container/helpers_test.go
+++ b/pkg/kubelet/container/helpers_test.go
@@ -254,6 +254,20 @@ func TestHasPrivilegedContainer(t *testing.T) {
 			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
 		}
 	}
+	// Test init containers as well.
+	for k, v := range tests {
+		pod := &v1.Pod{
+			Spec: v1.PodSpec{
+				InitContainers: []v1.Container{
+					{SecurityContext: v.securityContext},
+				},
+			},
+		}
+		actual := HasPrivilegedContainer(pod)
+		if actual != v.expected {
+			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
+		}
+	}
 }
 
 func TestMakePortMappings(t *testing.T) {