From 708b18026657cc7b246830a7addbe1f4aafa88ff Mon Sep 17 00:00:00 2001
From: Konstantinos Tsakalozos <kos.tsakalozos@canonical.com>
Date: Wed, 4 Apr 2018 17:18:20 +0300
Subject: [PATCH] Fix when privileged is set.

---
 .../reactive/kubernetes_worker.py                 | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
index 750aabb15d7..4ce925131e0 100644
--- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
+++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py
@@ -372,9 +372,6 @@ def start_worker(kube_api, kube_control, auth_control, cni):
     creds = db.get('credentials')
     data_changed('kube-control.creds', creds)
 
-    # set --allow-privileged flag for kubelet
-    set_privileged()
-
     create_config(random.choice(servers), creds)
     configure_kubelet(dns, ingress_ip)
     configure_kube_proxy(servers, cluster_cidr)
@@ -626,8 +623,8 @@ def configure_kubelet(dns, ingress_ip):
     if (dns['enable-kube-dns']):
         kubelet_opts['cluster-dns'] = dns['sdn-ip']
 
-    privileged = is_state('kubernetes-worker.privileged')
-    kubelet_opts['allow-privileged'] = 'true' if privileged else 'false'
+    # set --allow-privileged flag for kubelet
+    kubelet_opts['allow-privileged'] = set_privileged()
 
     if is_state('kubernetes-worker.gpu.enabled'):
         hookenv.log('Adding '
@@ -865,8 +862,10 @@ def remove_nrpe_config(nagios=None):
 
 
 def set_privileged():
-    """Update the allow-privileged flag for kubelet.
-
+    """Return 'true' if privileged containers are needed.
+    This is when a) the user requested them
+                 b) user does not care (auto) and GPUs are available in a pre
+                    1.9 era
     """
     privileged = hookenv.config('allow-privileged').lower()
     gpu_needs_privileged = (is_state('kubernetes-worker.gpu.enabled') and
@@ -881,6 +880,8 @@ def set_privileged():
         # No need to restart kubernetes (set the restart-needed state)
         # because set-privileged is already in the restart path
 
+    return privileged
+
 
 @when('config.changed.allow-privileged')
 @when('kubernetes-worker.config.created')