github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39473 from php-coder/improve_err_msg_about_privileged

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 39394, 38270, 39473, 39516, 36243)

Improve an error message when privileged containers are disallowed on the cluster

**What this PR does / why we need it**:

At present when user creates privileged pod and creation of privileged containers disallowed globally by a system administrator (kubelet and api-server were running with `--allow-privileged=false`), user will get the following error message:
```console
$ kubectl create -f nginx.pod 
The Pod "nginx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by policy
```
"Disallowed by policy" may give a wrong assumption to a user that creation of privileged containers disallowed by [`PodSecurityPolicy`](http://kubernetes.io/docs/user-guide/pod-security-policy/) while it's not.

This commit improves error message and tries to point user to the right direction:
```console
$ kubectl create -f nginx.pod 
The Pod "nginx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: privileged containers are disallowed on this cluster by a system administrator
```

**Release note**:

```release-note
NONE
```

PTAL @pweil-
This commit is contained in:
Kubernetes Submit Queue 2017-01-09 12:05:21 -08:00 committed by GitHub
commit 59b1f4a12e
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/api/validation/validation.go
View File

@ -3504,7 +3504,7 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field
if sc.Privileged != nil {
if *sc.Privileged && !capabilities.Get().AllowPrivileged {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by policy"))
allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by cluster policy"))
}
}

2
pkg/api/validation/validation_test.go
View File

@ -8155,7 +8155,7 @@ func TestValidateSecurityContext(t *testing.T) {
"request privileged when capabilities forbids": {
sc: privRequestWithGlobalDeny,
errorType: "FieldValueForbidden",
errorDetail: "disallowed by policy",
errorDetail: "disallowed by cluster policy",
},
"negative RunAsUser": {
sc: negativeRunAsUser,