Merge pull request #5973 from ArtfulCoder/pause_no_port_forward_for_net_host

Stop port forwarding from pause in net=host mode
2025-07-24 20:24:09 +00:00 · 2015-03-25 18:13:04 -07:00 · 2015-03-25 18:13:04 -07:00 · 8183a4805e
commit 8183a4805e
parent 5d379a2cb8 cd5ed38250
2 changed files with 32 additions and 20 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -1023,12 +1023,21 @@ func allowHostNetwork(pod *api.Pod) (bool, error) {

 // createPodInfraContainer starts the pod infra container for a pod. Returns the docker container ID of the newly created container.
 func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID, error) {
+
+	// Use host networking if specified and allowed.
+	netNamespace := ""
 	var ports []api.ContainerPort
-	// Docker only exports ports from the pod infra container.  Let's
-	// collect all of the relevant ports and export them.
-	for _, container := range pod.Spec.Containers {
-		ports = append(ports, container.Ports...)
+
+	if pod.Spec.HostNetwork {
+		netNamespace = "host"
+	} else {
+		// Docker only exports ports from the pod infra container.  Let's
+		// collect all of the relevant ports and export them.
+		for _, container := range pod.Spec.Containers {
+			ports = append(ports, container.Ports...)
+		}
 	}
+
 	container := &api.Container{
 		Name:  dockertools.PodInfraContainerName,
 		Image: kl.podInfraContainerImage,
@ -1055,20 +1064,6 @@ func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID,
 		kl.recorder.Eventf(ref, "pulled", "Successfully pulled image %q", container.Image)
 	}

-	// Use host networking if specified and allowed.
-	netNamespace := ""
-	if pod.Spec.HostNetwork {
-		allowed, err := allowHostNetwork(pod)
-		if err != nil {
-			return "", err
-		}
-		if !allowed {
-			return "", fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
-		}
-
-		netNamespace = "host"
-	}
-
 	id, err := kl.runContainer(pod, container, nil, netNamespace, "")
 	if err != nil {
 		return "", err
@ -1364,9 +1359,26 @@ func (kl *Kubelet) computePodContainerChanges(pod *api.Pod, runningPod kubeconta
 	}, nil
 }

+func (kl *Kubelet) canRunPod(pod *api.Pod) error {
+	if pod.Spec.HostNetwork {
+		allowed, err := allowHostNetwork(pod)
+		if err != nil {
+			return err
+		}
+		if !allowed {
+			return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
+		}
+	}
+	return nil
+}
+
 func (kl *Kubelet) syncPod(pod *api.Pod, mirrorPod *api.Pod, runningPod kubecontainer.Pod) error {
 	podFullName := kubecontainer.GetPodFullName(pod)
 	uid := pod.UID
+	err := kl.canRunPod(pod)
+	if err != nil {
+		return err
+	}

 	// Before returning, regenerate status and store it in the cache.
 	defer func() {
--- a/pkg/kubelet/kubelet_test.go
+++ b/pkg/kubelet/kubelet_test.go
@ -3495,7 +3495,7 @@ func TestHostNetworkAllowed(t *testing.T) {
 			HostNetwork: true,
 		},
 	}
-	_, err := kubelet.createPodInfraContainer(pod)
+	err := kubelet.syncPod(pod, nil, container.Pod{})
 	if err != nil {
 		t.Errorf("expected pod infra creation to succeed: %v", err)
 	}
@ -3524,7 +3524,7 @@ func TestHostNetworkDisallowed(t *testing.T) {
 			HostNetwork: true,
 		},
 	}
-	_, err := kubelet.createPodInfraContainer(pod)
+	err := kubelet.syncPod(pod, nil, container.Pod{})
 	if err == nil {
 		t.Errorf("expected pod infra creation to fail")
 	}