Merge pull request #90569 from brianpursley/kubectl-721

Added --privileged flag to kubectl run
2025-07-30 06:54:01 +00:00 · 2020-06-10 04:38:22 -07:00 · 2020-06-10 04:38:22 -07:00 · 5b76272c35
commit 5b76272c35
parent 4c5167a152 cd005c1da4
3 changed files with 54 additions and 6 deletions
--- a/staging/src/k8s.io/kubectl/pkg/cmd/run/run.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/run/run.go
@ -120,6 +120,7 @@ type RunOptions struct {
 	Interactive    bool
 	LeaveStdinOpen bool
 	Port           string
+	Privileged     bool
 	Quiet          bool
 	Schedule       string
 	TTY            bool
@ -202,6 +203,7 @@ func addRunFlags(cmd *cobra.Command, opt *RunOptions) {
 	cmd.Flags().BoolVar(&opt.Quiet, "quiet", opt.Quiet, "If true, suppress prompt messages.")
 	cmd.Flags().StringVar(&opt.Schedule, "schedule", opt.Schedule, i18n.T("A schedule in the Cron format the job should be run with."))
 	cmd.Flags().MarkDeprecated("schedule", "has no effect and will be removed in the future.")
+	cmd.Flags().BoolVar(&opt.Privileged, "privileged", opt.Privileged, i18n.T("If true, run the container in privileged mode."))
 	cmdutil.AddFieldManagerFlagVar(cmd, &opt.fieldManager, "kubectl-run")
 }

--- a/staging/src/k8s.io/kubectl/pkg/generate/versioned/run.go
+++ b/staging/src/k8s.io/kubectl/pkg/generate/versioned/run.go
@ -229,6 +229,7 @@ func (BasicPod) ParamNames() []generate.GeneratorParam {
 		{Name: "requests", Required: false},
 		{Name: "limits", Required: false},
 		{Name: "serviceaccount", Required: false},
+		{Name: "privileged", Required: false},
 	}
 }

@ -281,6 +282,18 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object,
 	if len(restartPolicy) == 0 {
 		restartPolicy = v1.RestartPolicyAlways
 	}
+
+	privileged, err := generate.GetBool(params, "privileged", false)
+	if err != nil {
+		return nil, err
+	}
+	var securityContext *v1.SecurityContext
+	if privileged {
+		securityContext = &v1.SecurityContext{
+			Privileged: &privileged,
+		}
+	}
+
 	pod := v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   name,
@ -290,12 +303,13 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object,
 			ServiceAccountName: params["serviceaccount"],
 			Containers: []v1.Container{
 				{
-					Name:      name,
-					Image:     params["image"],
-					Stdin:     stdin,
-					StdinOnce: !leaveStdinOpen && stdin,
-					TTY:       tty,
-					Resources: resourceRequirements,
+					Name:            name,
+					Image:           params["image"],
+					Stdin:           stdin,
+					StdinOnce:       !leaveStdinOpen && stdin,
+					TTY:             tty,
+					Resources:       resourceRequirements,
+					SecurityContext: securityContext,
 				},
 			},
 			DNSPolicy:     v1.DNSClusterFirst,
--- a/staging/src/k8s.io/kubectl/pkg/generate/versioned/run_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/generate/versioned/run_test.go
@ -254,6 +254,32 @@ func TestGeneratePod(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "test10: privileged mode",
+			params: map[string]interface{}{
+				"name":       "foo",
+				"image":      "someimage",
+				"replicas":   "1",
+				"privileged": "true",
+			},
+			expected: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:   "foo",
+					Labels: map[string]string{"run": "foo"},
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:            "foo",
+							Image:           "someimage",
+							SecurityContext: securityContextWithPrivilege(true),
+						},
+					},
+					DNSPolicy:     v1.DNSClusterFirst,
+					RestartPolicy: v1.RestartPolicyAlways,
+				},
+			},
+		},
 	}
 	generator := BasicPod{}
 	for _, tt := range tests {
@ -358,3 +384,9 @@ func TestParseEnv(t *testing.T) {
 		})
 	}
 }
+
+func securityContextWithPrivilege(privileged bool) *v1.SecurityContext {
+	return &v1.SecurityContext{
+		Privileged: &privileged,
+	}
+}