Merge pull request #12470 from simon3z/add-host-ipc

Auto commit by PR queue bot
2025-09-16 22:53:22 +00:00 · 2015-09-21 09:15:01 -07:00
parent 9f93dceab1 f21d9ac9e4
commit 843134885e
22 changed files with 107 additions and 19 deletions
--- a/plugin/pkg/admission/exec/admission.go
+++ b/plugin/pkg/admission/exec/admission.go
@@ -94,10 +94,9 @@ func (d *denyExec) Admit(a admission.Attributes) (err error) {
 		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host pid"))
 	}

-	//TODO uncomment when this feature lands https://github.com/kubernetes/kubernetes/pull/12470
-	//	if d.hostIPC && pod.Spec.HostIPC {
-	//		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host ipc"))
-	//	}
+	if d.hostIPC && pod.Spec.HostIPC {
+		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a container using host ipc"))
+	}

 	if d.privileged && isPrivileged(pod) {
 		return admission.NewForbidden(a, fmt.Errorf("Cannot exec into or attach to a privileged container"))
--- a/plugin/pkg/admission/exec/admission_test.go
+++ b/plugin/pkg/admission/exec/admission_test.go
@@ -36,8 +36,8 @@ func TestAdmission(t *testing.T) {
 	hostPIDPod := validPod("hostPID")
 	hostPIDPod.Spec.HostPID = true

-	//	hostIPCPod := validPod("hostIPC")
-	//	hostIPCPod.Spec.HostIPC = true
+	hostIPCPod := validPod("hostIPC")
+	hostIPCPod.Spec.HostIPC = true

 	testCases := map[string]struct {
 		pod          *api.Pod
@@ -51,10 +51,10 @@ func TestAdmission(t *testing.T) {
 			shouldAccept: false,
 			pod:          hostPIDPod,
 		},
-		//		"hostIPC": {
-		//			shouldAccept: false,
-		//			pod: hostIPCPod,
-		//		},
+		"hostIPC": {
+			shouldAccept: false,
+			pod:          hostIPCPod,
+		},
 		"non privileged": {
 			shouldAccept: true,
 			pod:          validPod("nonPrivileged"),
@@ -132,8 +132,8 @@ func TestDenyExecOnPrivileged(t *testing.T) {
 	hostPIDPod := validPod("hostPID")
 	hostPIDPod.Spec.HostPID = true

-	//	hostIPCPod := validPod("hostIPC")
-	//	hostIPCPod.Spec.HostIPC = true
+	hostIPCPod := validPod("hostIPC")
+	hostIPCPod.Spec.HostIPC = true

 	testCases := map[string]struct {
 		pod          *api.Pod
@@ -147,10 +147,10 @@ func TestDenyExecOnPrivileged(t *testing.T) {
 			shouldAccept: true,
 			pod:          hostPIDPod,
 		},
-		//		"hostIPC": {
-		//			shouldAccept: true,
-		//			pod: hostIPCPod,
-		//		},
+		"hostIPC": {
+			shouldAccept: true,
+			pod:          hostIPCPod,
+		},
 		"non privileged": {
 			shouldAccept: true,
 			pod:          validPod("nonPrivileged"),