diff --git a/pkg/kubelet/rkt/config.go b/pkg/kubelet/rkt/config.go index 3af07a3541f..ebdf34a1e77 100644 --- a/pkg/kubelet/rkt/config.go +++ b/pkg/kubelet/rkt/config.go @@ -88,21 +88,21 @@ func (r *Runtime) getConfig(cfg *Config) (*Config, error) { flags := resp.Info.GlobalFlags - if cfg.Dir == "" { + if flags.Dir != "" { cfg.Dir = flags.Dir } - if cfg.InsecureOptions == "" { - cfg.InsecureOptions = flags.InsecureFlags - } - if cfg.LocalConfigDir == "" { + if flags.LocalConfigDir != "" { cfg.LocalConfigDir = flags.LocalConfigDir } - if cfg.UserConfigDir == "" { + if flags.UserConfigDir != "" { cfg.UserConfigDir = flags.UserConfigDir } - if cfg.SystemConfigDir == "" { + if flags.SystemConfigDir != "" { cfg.SystemConfigDir = flags.SystemConfigDir } + if flags.InsecureFlags != "" { + cfg.InsecureOptions = fmt.Sprintf("%s,%s", cfg.InsecureOptions, flags.InsecureFlags) + } return cfg, nil } diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go index b0c8a138cb8..75111fc97e9 100644 --- a/pkg/kubelet/rkt/rkt.go +++ b/pkg/kubelet/rkt/rkt.go @@ -70,8 +70,8 @@ const ( RktType = "rkt" DefaultRktAPIServiceEndpoint = "localhost:15441" - minimumRktBinVersion = "1.9.1" - recommendedRktBinVersion = "1.9.1" + minimumRktBinVersion = "1.13.0" + recommendedRktBinVersion = "1.13.0" minimumRktApiVersion = "1.0.0-alpha" minimumSystemdVersion = "219" @@ -929,7 +929,26 @@ func (r *Runtime) usesRktHostNetwork(pod *api.Pod) bool { // generateRunCommand crafts a 'rkt run-prepared' command with necessary parameters. func (r *Runtime) generateRunCommand(pod *api.Pod, uuid, netnsName string) (string, error) { - runPrepared := buildCommand(r.config, "run-prepared").Args + config := *r.config + privileged := true + + for _, c := range pod.Spec.Containers { + ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c) + if ctx == nil || ctx.Privileged == nil || *ctx.Privileged == false { + privileged = false + break + } + } + + // Use "all-run" insecure option (https://github.com/coreos/rkt/pull/2983) to take care + // of privileged pod. + // TODO(yifan): Have more granular app-level control of the insecure options. + // See: https://github.com/coreos/rkt/issues/2996. + if privileged { + config.InsecureOptions = fmt.Sprintf("%s,%s", config.InsecureOptions, "all-run") + } + + runPrepared := buildCommand(&config, "run-prepared").Args var hostname string var err error diff --git a/pkg/kubelet/rkt/rkt_test.go b/pkg/kubelet/rkt/rkt_test.go index d34f4e22a0e..60070125442 100644 --- a/pkg/kubelet/rkt/rkt_test.go +++ b/pkg/kubelet/rkt/rkt_test.go @@ -1164,6 +1164,9 @@ func TestSetApp(t *testing.T) { func TestGenerateRunCommand(t *testing.T) { hostName := "test-hostname" + boolTrue := true + boolFalse := false + tests := []struct { networkPlugin network.NetworkPlugin pod *api.Pod @@ -1184,7 +1187,9 @@ func TestGenerateRunCommand(t *testing.T) { ObjectMeta: api.ObjectMeta{ Name: "pod-name-foo", }, - Spec: api.PodSpec{}, + Spec: api.PodSpec{ + Containers: []api.Container{{Name: "container-foo"}}, + }, }, "rkt-uuid-foo", "default", @@ -1201,6 +1206,9 @@ func TestGenerateRunCommand(t *testing.T) { ObjectMeta: api.ObjectMeta{ Name: "pod-name-foo", }, + Spec: api.PodSpec{ + Containers: []api.Container{{Name: "container-foo"}}, + }, }, "rkt-uuid-foo", "default", @@ -1221,6 +1229,7 @@ func TestGenerateRunCommand(t *testing.T) { SecurityContext: &api.PodSecurityContext{ HostNetwork: true, }, + Containers: []api.Container{{Name: "container-foo"}}, }, }, "rkt-uuid-foo", @@ -1242,6 +1251,7 @@ func TestGenerateRunCommand(t *testing.T) { SecurityContext: &api.PodSecurityContext{ HostNetwork: false, }, + Containers: []api.Container{{Name: "container-foo"}}, }, }, "rkt-uuid-foo", @@ -1263,6 +1273,7 @@ func TestGenerateRunCommand(t *testing.T) { SecurityContext: &api.PodSecurityContext{ HostNetwork: true, }, + Containers: []api.Container{{Name: "container-foo"}}, }, }, "rkt-uuid-foo", @@ -1280,7 +1291,9 @@ func TestGenerateRunCommand(t *testing.T) { ObjectMeta: api.ObjectMeta{ Name: "pod-name-foo", }, - Spec: api.PodSpec{}, + Spec: api.PodSpec{ + Containers: []api.Container{{Name: "container-foo"}}, + }, }, "rkt-uuid-foo", "default", @@ -1290,6 +1303,50 @@ func TestGenerateRunCommand(t *testing.T) { nil, "/bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=rkt.kubernetes.io --dns=127.0.0.1 --dns-search=. --dns-opt=ndots:5 --hostname=pod-hostname-foo rkt-uuid-foo", }, + // Case #6, if all containers are privileged, the result should have 'insecure-options=all-run' + { + kubenet.NewPlugin("/tmp"), + &api.Pod{ + ObjectMeta: api.ObjectMeta{ + Name: "pod-name-foo", + }, + Spec: api.PodSpec{ + Containers: []api.Container{ + {Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}}, + {Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}}, + }, + }, + }, + "rkt-uuid-foo", + "default", + []string{}, + []string{}, + "pod-hostname-foo", + nil, + "/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk,all-run --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo", + }, + // Case #7, if not all containers are privileged, the result should not have 'insecure-options=all-run' + { + kubenet.NewPlugin("/tmp"), + &api.Pod{ + ObjectMeta: api.ObjectMeta{ + Name: "pod-name-foo", + }, + Spec: api.PodSpec{ + Containers: []api.Container{ + {Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}}, + {Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolFalse}}, + }, + }, + }, + "rkt-uuid-foo", + "default", + []string{}, + []string{}, + "pod-hostname-foo", + nil, + "/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo", + }, } rkt := &Runtime{