From 28286d689007165c82e22521c5608e9abc9b4e6b Mon Sep 17 00:00:00 2001
From: xiangpengzhao <zhao.xiangpeng@zte.com.cn>
Date: Thu, 16 Jun 2016 21:36:07 -0400
Subject: [PATCH] Refactor func canRunPod

---
 pkg/kubelet/util.go | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

diff --git a/pkg/kubelet/util.go b/pkg/kubelet/util.go
index ae2d94bfa12..dba4269a82f 100644
--- a/pkg/kubelet/util.go
+++ b/pkg/kubelet/util.go
@@ -27,7 +27,24 @@ import (
 
 // Check whether we have the capabilities to run the specified pod.
 func canRunPod(pod *api.Pod) error {
-	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork {
+	if !capabilities.Get().AllowPrivileged {
+		for _, container := range pod.Spec.Containers {
+			if securitycontext.HasPrivilegedRequest(&container) {
+				return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
+			}
+		}
+		for _, container := range pod.Spec.InitContainers {
+			if securitycontext.HasPrivilegedRequest(&container) {
+				return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
+			}
+		}
+	}
+
+	if pod.Spec.SecurityContext == nil {
+		return nil
+	}
+
+	if pod.Spec.SecurityContext.HostNetwork {
 		allowed, err := allowHostNetwork(pod)
 		if err != nil {
 			return err
@@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
 		}
 	}
 
-	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
+	if pod.Spec.SecurityContext.HostPID {
 		allowed, err := allowHostPID(pod)
 		if err != nil {
 			return err
@@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
 		}
 	}
 
-	if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
+	if pod.Spec.SecurityContext.HostIPC {
 		allowed, err := allowHostIPC(pod)
 		if err != nil {
 			return err
@@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
 		}
 	}
 
-	if !capabilities.Get().AllowPrivileged {
-		for _, container := range pod.Spec.Containers {
-			if securitycontext.HasPrivilegedRequest(&container) {
-				return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
-			}
-		}
-		for _, container := range pod.Spec.InitContainers {
-			if securitycontext.HasPrivilegedRequest(&container) {
-				return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
-			}
-		}
-	}
 	return nil
 }