github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 22:17:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1288 from brendandburns/privilege

Browse Source 
Add support for privileged containers.
This commit is contained in:
Tim Hockin 2014-09-12 09:57:14 -07:00
commit 88a8c5486e
4 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kubelet/kubelet.go
View File

@ -58,6 +58,7 @@ var (
dockerEndpoint = flag.String("docker_endpoint", "", "If non-empty, use this for the docker endpoint to communicate with")
etcdServerList util.StringList
rootDirectory = flag.String("root_dir", defaultRootDir, "Directory path for managing kubelet files (volume mounts,etc).")
allowPrivileged = flag.Bool("allow_privileged", false, "If true, allow containers to request privileged mode.")
)
func init() {
@ -150,7 +151,8 @@ func main() {
cadvisorClient,
etcdClient,
*rootDirectory,
*syncFrequency)
*syncFrequency,
*allowPrivileged)
health.AddHealthChecker("exec", health.NewExecHealthChecker(k))
health.AddHealthChecker("http", health.NewHTTPHealthChecker(&http.Client{}))

2
pkg/api/types.go
View File

@ -195,6 +195,8 @@ type Container struct {
VolumeMounts []VolumeMount `yaml:"volumeMounts,omitempty" json:"volumeMounts,omitempty"`
LivenessProbe *LivenessProbe `yaml:"livenessProbe,omitempty" json:"livenessProbe,omitempty"`
Lifecycle *Lifecycle `yaml:"lifecycle,omitempty" json:"lifecycle,omitempty"`
// Optional: Default to false.
Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
}
// Handler defines a specific action that should be taken

2
pkg/api/v1beta1/types.go
View File

@ -205,6 +205,8 @@ type Container struct {
VolumeMounts []VolumeMount `yaml:"volumeMounts,omitempty" json:"volumeMounts,omitempty"`
LivenessProbe *LivenessProbe `yaml:"livenessProbe,omitempty" json:"livenessProbe,omitempty"`
Lifecycle *Lifecycle `yaml:"lifecycle,omitempty" json:"lifecycle,omitempty"`
// Optional: Default to false.
Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
}
// Handler defines a specific action that should be taken

31
pkg/kubelet/kubelet.go
View File

@ -67,17 +67,19 @@ func NewMainKubelet(
cc CadvisorInterface,
ec tools.EtcdClient,
rd string,
ri time.Duration) *Kubelet {
ri time.Duration,
privileged bool) *Kubelet {
return &Kubelet{
hostname: hn,
dockerClient: dc,
cadvisorClient: cc,
etcdClient: ec,
rootDirectory: rd,
resyncInterval: ri,
podWorkers: newPodWorkers(),
runner: dockertools.NewDockerContainerCommandRunner(),
httpClient: &http.Client{},
hostname: hn,
dockerClient: dc,
cadvisorClient: cc,
etcdClient: ec,
rootDirectory: rd,
resyncInterval: ri,
podWorkers: newPodWorkers(),
runner: dockertools.NewDockerContainerCommandRunner(),
httpClient: &http.Client{},
allowPrivileged: privileged,
}
}
@ -119,6 +121,8 @@ type Kubelet struct {
runner dockertools.ContainerCommandRunner
// Optional, client for http requests, defaults to empty client
httpClient httpGetInterface
// Optional, allow privileged containers, defaults to false
allowPrivileged bool
}
// Run starts the kubelet reacting to config updates
@ -335,10 +339,17 @@ func (kl *Kubelet) runContainer(pod *Pod, container *api.Container, podVolumes v
if err != nil {
return "", err
}
privileged := false
if kl.allowPrivileged {
privileged = container.Privileged
} else if container.Privileged {
return "", fmt.Errorf("Container requested privileged mode, but it is disallowed globally.")
}
err = kl.dockerClient.StartContainer(dockerContainer.ID, &docker.HostConfig{
PortBindings: portBindings,
Binds: binds,
NetworkMode: netMode,
Privileged: privileged,
})
if err == nil && container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
handlerErr := kl.runHandler(GetPodFullName(pod), pod.Manifest.UUID, container, container.Lifecycle.PostStart)