From c75b61ed4834fd3eb8eafe920eddb4e9fefdba34 Mon Sep 17 00:00:00 2001 From: Vishnu kannan Date: Thu, 11 Aug 2016 11:59:59 -0700 Subject: [PATCH] check if kubelet is running as uid 0 Signed-off-by: Vishnu kannan --- cmd/kubelet/app/server.go | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 90f77cf9b73..47eabeb4541 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -35,7 +35,6 @@ import ( "github.com/golang/glog" "github.com/spf13/cobra" "github.com/spf13/pflag" - "github.com/syndtr/gocapability/capability" "k8s.io/kubernetes/cmd/kubelet/app/options" "k8s.io/kubernetes/pkg/api" @@ -300,10 +299,22 @@ func Run(s *options.KubeletServer, kcfg *KubeletConfig) error { return err } +func checkPermissions() error { + if uid := os.Getuid(); uid != 0 { + return fmt.Errorf("Kubelet needs to run as uid `0`. It is being run as %d", uid) + } + // TODO: Check if kubelet is running in the `initial` user namespace. + // http://man7.org/linux/man-pages/man7/user_namespaces.7.html + return nil +} + func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) { if s.ExitOnLockContention && s.LockFilePath == "" { return errors.New("cannot exit on lock file contention: no lock file specified") } + if err := checkPermissions(); err != nil { + glog.Error(err) + } done := make(chan struct{}) if s.LockFilePath != "" { @@ -324,15 +335,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) { glog.Errorf("unable to register configz: %s", err) } - // check if we have CAP_SYS_ADMIN to setgroup properly - pid, err := capability.NewPid(os.Getpid()) - if err != nil { - return err - } - if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) { - return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container") - } - if kcfg == nil { cfg, err := UnsecuredKubeletConfig(s) if err != nil {