github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #31286 from yifan-gu/rkt_privileged

Browse Source 
Automatic merge from submit-queue

rkt: Improve support for privileged pod (pod whose all containers are privileged) 

Fix https://github.com/kubernetes/kubernetes/issues/31100

This takes advantage of https://github.com/coreos/rkt/pull/2983 . By appending the new `--all-run` insecure-options to `rkt run-prepared` command when all the containers are privileged. The pod now gets more privileged power.
This commit is contained in:
Kubernetes Submit Queue 2016-08-25 06:58:43 -07:00 committed by GitHub
commit 6901a00078
3 changed files with 88 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/kubelet/rkt/config.go
View File

@ -88,21 +88,21 @@ func (r *Runtime) getConfig(cfg *Config) (*Config, error) {
flags := resp.Info.GlobalFlags flags := resp.Info.GlobalFlags
if cfg.Dir == "" { if flags.Dir != "" {
cfg.Dir = flags.Dir cfg.Dir = flags.Dir
} }
if cfg.InsecureOptions == "" { if flags.LocalConfigDir != "" {
cfg.InsecureOptions = flags.InsecureFlags
}
if cfg.LocalConfigDir == "" {
cfg.LocalConfigDir = flags.LocalConfigDir cfg.LocalConfigDir = flags.LocalConfigDir
} }
if cfg.UserConfigDir == "" { if flags.UserConfigDir != "" {
cfg.UserConfigDir = flags.UserConfigDir cfg.UserConfigDir = flags.UserConfigDir
} }
if cfg.SystemConfigDir == "" { if flags.SystemConfigDir != "" {
cfg.SystemConfigDir = flags.SystemConfigDir cfg.SystemConfigDir = flags.SystemConfigDir
} }
if flags.InsecureFlags != "" {
cfg.InsecureOptions = fmt.Sprintf("%s,%s", cfg.InsecureOptions, flags.InsecureFlags)
}
return cfg, nil return cfg, nil
} }

25
pkg/kubelet/rkt/rkt.go
View File

@ -70,8 +70,8 @@ const (
RktType = "rkt" RktType = "rkt"
DefaultRktAPIServiceEndpoint = "localhost:15441" DefaultRktAPIServiceEndpoint = "localhost:15441"
minimumRktBinVersion = "1.9.1" minimumRktBinVersion = "1.13.0"
recommendedRktBinVersion = "1.9.1" recommendedRktBinVersion = "1.13.0"
minimumRktApiVersion = "1.0.0-alpha" minimumRktApiVersion = "1.0.0-alpha"
minimumSystemdVersion = "219" minimumSystemdVersion = "219"
@ -929,7 +929,26 @@ func (r *Runtime) usesRktHostNetwork(pod *api.Pod) bool {
// generateRunCommand crafts a 'rkt run-prepared' command with necessary parameters. // generateRunCommand crafts a 'rkt run-prepared' command with necessary parameters.
func (r *Runtime) generateRunCommand(pod *api.Pod, uuid, netnsName string) (string, error) { func (r *Runtime) generateRunCommand(pod *api.Pod, uuid, netnsName string) (string, error) {
runPrepared := buildCommand(r.config, "run-prepared").Args config := *r.config
privileged := true
for _, c := range pod.Spec.Containers {
ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c)
if ctx == nil || ctx.Privileged == nil || *ctx.Privileged == false {
privileged = false
break
}
}
// Use "all-run" insecure option (https://github.com/coreos/rkt/pull/2983) to take care
// of privileged pod.
// TODO(yifan): Have more granular app-level control of the insecure options.
// See: https://github.com/coreos/rkt/issues/2996.
if privileged {
config.InsecureOptions = fmt.Sprintf("%s,%s", config.InsecureOptions, "all-run")
}
runPrepared := buildCommand(&config, "run-prepared").Args
var hostname string var hostname string
var err error var err error

61
pkg/kubelet/rkt/rkt_test.go
View File

@ -1164,6 +1164,9 @@ func TestSetApp(t *testing.T) {
func TestGenerateRunCommand(t *testing.T) { func TestGenerateRunCommand(t *testing.T) {
hostName := "test-hostname" hostName := "test-hostname"
boolTrue := true
boolFalse := false
tests := []struct { tests := []struct {
networkPlugin network.NetworkPlugin networkPlugin network.NetworkPlugin
pod *api.Pod pod *api.Pod
@ -1184,7 +1187,9 @@ func TestGenerateRunCommand(t *testing.T) {
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Name: "pod-name-foo", Name: "pod-name-foo",
}, },
Spec: api.PodSpec{}, Spec: api.PodSpec{
Containers: []api.Container{{Name: "container-foo"}},
},
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
"default", "default",
@ -1201,6 +1206,9 @@ func TestGenerateRunCommand(t *testing.T) {
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Name: "pod-name-foo", Name: "pod-name-foo",
}, },
Spec: api.PodSpec{
Containers: []api.Container{{Name: "container-foo"}},
},
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
"default", "default",
@ -1221,6 +1229,7 @@ func TestGenerateRunCommand(t *testing.T) {
SecurityContext: &api.PodSecurityContext{ SecurityContext: &api.PodSecurityContext{
HostNetwork: true, HostNetwork: true,
}, },
Containers: []api.Container{{Name: "container-foo"}},
}, },
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
@ -1242,6 +1251,7 @@ func TestGenerateRunCommand(t *testing.T) {
SecurityContext: &api.PodSecurityContext{ SecurityContext: &api.PodSecurityContext{
HostNetwork: false, HostNetwork: false,
}, },
Containers: []api.Container{{Name: "container-foo"}},
}, },
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
@ -1263,6 +1273,7 @@ func TestGenerateRunCommand(t *testing.T) {
SecurityContext: &api.PodSecurityContext{ SecurityContext: &api.PodSecurityContext{
HostNetwork: true, HostNetwork: true,
}, },
Containers: []api.Container{{Name: "container-foo"}},
}, },
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
@ -1280,7 +1291,9 @@ func TestGenerateRunCommand(t *testing.T) {
ObjectMeta: api.ObjectMeta{ ObjectMeta: api.ObjectMeta{
Name: "pod-name-foo", Name: "pod-name-foo",
}, },
Spec: api.PodSpec{}, Spec: api.PodSpec{
Containers: []api.Container{{Name: "container-foo"}},
},
}, },
"rkt-uuid-foo", "rkt-uuid-foo",
"default", "default",
@ -1290,6 +1303,50 @@ func TestGenerateRunCommand(t *testing.T) {
nil, nil,
"/bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=rkt.kubernetes.io --dns=127.0.0.1 --dns-search=. --dns-opt=ndots:5 --hostname=pod-hostname-foo rkt-uuid-foo", "/bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=rkt.kubernetes.io --dns=127.0.0.1 --dns-search=. --dns-opt=ndots:5 --hostname=pod-hostname-foo rkt-uuid-foo",
}, },
// Case #6, if all containers are privileged, the result should have 'insecure-options=all-run'
{
kubenet.NewPlugin("/tmp"),
&api.Pod{
ObjectMeta: api.ObjectMeta{
Name: "pod-name-foo",
},
Spec: api.PodSpec{
Containers: []api.Container{
{Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
{Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
},
},
},
"rkt-uuid-foo",
"default",
[]string{},
[]string{},
"pod-hostname-foo",
nil,
"/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk,all-run --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo",
},
// Case #7, if not all containers are privileged, the result should not have 'insecure-options=all-run'
{
kubenet.NewPlugin("/tmp"),
&api.Pod{
ObjectMeta: api.ObjectMeta{
Name: "pod-name-foo",
},
Spec: api.PodSpec{
Containers: []api.Container{
{Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
{Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolFalse}},
},
},
},
"rkt-uuid-foo",
"default",
[]string{},
[]string{},
"pod-hostname-foo",
nil,
"/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo",
},
} }
rkt := &Runtime{ rkt := &Runtime{