Merge pull request #1330 from brendandburns/privilege

Only allow privileged containers if API server flag set. Adds capabilities package.
2025-09-14 05:36:12 +00:00 · 2014-09-16 15:12:26 -07:00
parent 0b75f7b543 5b9e2a55b5
commit 506f51b186
7 changed files with 111 additions and 18 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@@ -29,6 +29,7 @@ import (

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/validation"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/health"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/dockertools"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/tools"
@@ -67,19 +68,17 @@ func NewMainKubelet(
 	cc CadvisorInterface,
 	ec tools.EtcdClient,
 	rd string,
-	ri time.Duration,
-	privileged bool) *Kubelet {
+	ri time.Duration) *Kubelet {
 	return &Kubelet{
-		hostname:        hn,
-		dockerClient:    dc,
-		cadvisorClient:  cc,
-		etcdClient:      ec,
-		rootDirectory:   rd,
-		resyncInterval:  ri,
-		podWorkers:      newPodWorkers(),
-		runner:          dockertools.NewDockerContainerCommandRunner(),
-		httpClient:      &http.Client{},
-		allowPrivileged: privileged,
+		hostname:       hn,
+		dockerClient:   dc,
+		cadvisorClient: cc,
+		etcdClient:     ec,
+		rootDirectory:  rd,
+		resyncInterval: ri,
+		podWorkers:     newPodWorkers(),
+		runner:         dockertools.NewDockerContainerCommandRunner(),
+		httpClient:     &http.Client{},
 	}
 }

@@ -121,8 +120,6 @@ type Kubelet struct {
 	runner dockertools.ContainerCommandRunner
 	// Optional, client for http requests, defaults to empty client
 	httpClient httpGetInterface
-	// Optional, allow privileged containers, defaults to false
-	allowPrivileged bool
 }

 // Run starts the kubelet reacting to config updates
@@ -340,7 +337,7 @@ func (kl *Kubelet) runContainer(pod *Pod, container *api.Container, podVolumes v
 		return "", err
 	}
 	privileged := false
-	if kl.allowPrivileged {
+	if capabilities.GetCapabilities().AllowPrivileged {
 		privileged = container.Privileged
 	} else if container.Privileged {
 		return "", fmt.Errorf("Container requested privileged mode, but it is disallowed globally.")