diff --git a/pkg/kubelet/dockertools/manager.go b/pkg/kubelet/dockertools/manager.go index bac74bff629..d1a2912f539 100644 --- a/pkg/kubelet/dockertools/manager.go +++ b/pkg/kubelet/dockertools/manager.go @@ -30,7 +30,6 @@ import ( "sync" "github.com/GoogleCloudPlatform/kubernetes/pkg/api" - "github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities" "github.com/GoogleCloudPlatform/kubernetes/pkg/client/record" kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container" "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/lifecycle" @@ -542,10 +541,6 @@ func (dm *DockerManager) runContainer(pod *api.Pod, container *api.Container, op } } - if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(container) { - return "", fmt.Errorf("container requested privileged mode, but it is disallowed globally.") - } - hc := &docker.HostConfig{ PortBindings: portBindings, Binds: opts.Binds, diff --git a/pkg/kubelet/kubelet_test.go b/pkg/kubelet/kubelet_test.go index 9af7f5b3564..f587301372c 100644 --- a/pkg/kubelet/kubelet_test.go +++ b/pkg/kubelet/kubelet_test.go @@ -3754,6 +3754,59 @@ func TestHostNetworkDisallowed(t *testing.T) { } } +func TestPrivilegeContainerAllowed(t *testing.T) { + testKubelet := newTestKubelet(t) + kubelet := testKubelet.kubelet + + capabilities.SetForTests(capabilities.Capabilities{ + AllowPrivileged: true, + }) + privileged := true + pod := &api.Pod{ + ObjectMeta: api.ObjectMeta{ + UID: "12345678", + Name: "foo", + Namespace: "new", + }, + Spec: api.PodSpec{ + Containers: []api.Container{ + {Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}}, + }, + }, + } + kubelet.podManager.SetPods([]*api.Pod{pod}) + err := kubelet.syncPod(pod, nil, container.Pod{}) + if err != nil { + t.Errorf("expected pod infra creation to succeed: %v", err) + } +} + +func TestPrivilegeContainerDisallowed(t *testing.T) { + testKubelet := newTestKubelet(t) + kubelet := testKubelet.kubelet + + capabilities.SetForTests(capabilities.Capabilities{ + AllowPrivileged: false, + }) + privileged := true + pod := &api.Pod{ + ObjectMeta: api.ObjectMeta{ + UID: "12345678", + Name: "foo", + Namespace: "new", + }, + Spec: api.PodSpec{ + Containers: []api.Container{ + {Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}}, + }, + }, + } + err := kubelet.syncPod(pod, nil, container.Pod{}) + if err == nil { + t.Errorf("expected pod infra creation to fail") + } +} + func TestSyncPodsWithRestartPolicy(t *testing.T) { testKubelet := newTestKubelet(t) testKubelet.fakeCadvisor.On("MachineInfo").Return(&cadvisorApi.MachineInfo{}, nil) diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go index e54060116e5..230c97bbed3 100644 --- a/pkg/kubelet/rkt/rkt.go +++ b/pkg/kubelet/rkt/rkt.go @@ -31,7 +31,6 @@ import ( "time" "github.com/GoogleCloudPlatform/kubernetes/pkg/api" - "github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities" "github.com/GoogleCloudPlatform/kubernetes/pkg/client/record" "github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider" kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container" @@ -213,13 +212,10 @@ func setIsolators(app *appctypes.App, c *api.Container) error { // Retained capabilities/privileged. privileged := false - if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(c) { - return fmt.Errorf("container requested privileged mode, but it is disallowed globally.") - } else { - if c.SecurityContext != nil && c.SecurityContext.Privileged != nil { - privileged = *c.SecurityContext.Privileged - } + if c.SecurityContext != nil && c.SecurityContext.Privileged != nil { + privileged = *c.SecurityContext.Privileged } + var addCaps string if privileged { addCaps = getAllCapabilities() diff --git a/pkg/kubelet/util.go b/pkg/kubelet/util.go index 7d4e422c3de..d86ba8f5f2b 100644 --- a/pkg/kubelet/util.go +++ b/pkg/kubelet/util.go @@ -22,6 +22,7 @@ import ( "github.com/GoogleCloudPlatform/kubernetes/pkg/api" "github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource" "github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities" + "github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext" cadvisorApi "github.com/google/cadvisor/info/v1" ) @@ -48,7 +49,14 @@ func canRunPod(pod *api.Pod) error { return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID) } } - // TODO(vmarmol): Check Privileged too. + + if !capabilities.Get().AllowPrivileged { + for _, container := range pod.Spec.Containers { + if securitycontext.HasPrivilegedRequest(&container) { + return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID) + } + } + } return nil }