mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #5973 from ArtfulCoder/pause_no_port_forward_for_net_host
Stop port forwarding from pause in net=host mode
This commit is contained in:
commit
8183a4805e
@ -1023,12 +1023,21 @@ func allowHostNetwork(pod *api.Pod) (bool, error) {
|
||||
|
||||
// createPodInfraContainer starts the pod infra container for a pod. Returns the docker container ID of the newly created container.
|
||||
func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID, error) {
|
||||
|
||||
// Use host networking if specified and allowed.
|
||||
netNamespace := ""
|
||||
var ports []api.ContainerPort
|
||||
// Docker only exports ports from the pod infra container. Let's
|
||||
// collect all of the relevant ports and export them.
|
||||
for _, container := range pod.Spec.Containers {
|
||||
ports = append(ports, container.Ports...)
|
||||
|
||||
if pod.Spec.HostNetwork {
|
||||
netNamespace = "host"
|
||||
} else {
|
||||
// Docker only exports ports from the pod infra container. Let's
|
||||
// collect all of the relevant ports and export them.
|
||||
for _, container := range pod.Spec.Containers {
|
||||
ports = append(ports, container.Ports...)
|
||||
}
|
||||
}
|
||||
|
||||
container := &api.Container{
|
||||
Name: dockertools.PodInfraContainerName,
|
||||
Image: kl.podInfraContainerImage,
|
||||
@ -1055,20 +1064,6 @@ func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID,
|
||||
kl.recorder.Eventf(ref, "pulled", "Successfully pulled image %q", container.Image)
|
||||
}
|
||||
|
||||
// Use host networking if specified and allowed.
|
||||
netNamespace := ""
|
||||
if pod.Spec.HostNetwork {
|
||||
allowed, err := allowHostNetwork(pod)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if !allowed {
|
||||
return "", fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
|
||||
}
|
||||
|
||||
netNamespace = "host"
|
||||
}
|
||||
|
||||
id, err := kl.runContainer(pod, container, nil, netNamespace, "")
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -1364,9 +1359,26 @@ func (kl *Kubelet) computePodContainerChanges(pod *api.Pod, runningPod kubeconta
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (kl *Kubelet) canRunPod(pod *api.Pod) error {
|
||||
if pod.Spec.HostNetwork {
|
||||
allowed, err := allowHostNetwork(pod)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !allowed {
|
||||
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (kl *Kubelet) syncPod(pod *api.Pod, mirrorPod *api.Pod, runningPod kubecontainer.Pod) error {
|
||||
podFullName := kubecontainer.GetPodFullName(pod)
|
||||
uid := pod.UID
|
||||
err := kl.canRunPod(pod)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Before returning, regenerate status and store it in the cache.
|
||||
defer func() {
|
||||
|
@ -3495,7 +3495,7 @@ func TestHostNetworkAllowed(t *testing.T) {
|
||||
HostNetwork: true,
|
||||
},
|
||||
}
|
||||
_, err := kubelet.createPodInfraContainer(pod)
|
||||
err := kubelet.syncPod(pod, nil, container.Pod{})
|
||||
if err != nil {
|
||||
t.Errorf("expected pod infra creation to succeed: %v", err)
|
||||
}
|
||||
@ -3524,7 +3524,7 @@ func TestHostNetworkDisallowed(t *testing.T) {
|
||||
HostNetwork: true,
|
||||
},
|
||||
}
|
||||
_, err := kubelet.createPodInfraContainer(pod)
|
||||
err := kubelet.syncPod(pod, nil, container.Pod{})
|
||||
if err == nil {
|
||||
t.Errorf("expected pod infra creation to fail")
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user