mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
Merge pull request #30466 from vishh/kubelet-as-root
Automatic merge from submit-queue [Kubelet] Check if kubelet is running as uid 0 Related to #30176
This commit is contained in:
commit
921c4604b1
@ -35,7 +35,6 @@ import (
|
|||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
"github.com/spf13/pflag"
|
"github.com/spf13/pflag"
|
||||||
"github.com/syndtr/gocapability/capability"
|
|
||||||
|
|
||||||
"k8s.io/kubernetes/cmd/kubelet/app/options"
|
"k8s.io/kubernetes/cmd/kubelet/app/options"
|
||||||
"k8s.io/kubernetes/pkg/api"
|
"k8s.io/kubernetes/pkg/api"
|
||||||
@ -301,10 +300,22 @@ func Run(s *options.KubeletServer, kcfg *KubeletConfig) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func checkPermissions() error {
|
||||||
|
if uid := os.Getuid(); uid != 0 {
|
||||||
|
return fmt.Errorf("Kubelet needs to run as uid `0`. It is being run as %d", uid)
|
||||||
|
}
|
||||||
|
// TODO: Check if kubelet is running in the `initial` user namespace.
|
||||||
|
// http://man7.org/linux/man-pages/man7/user_namespaces.7.html
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
|
func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
|
||||||
if s.ExitOnLockContention && s.LockFilePath == "" {
|
if s.ExitOnLockContention && s.LockFilePath == "" {
|
||||||
return errors.New("cannot exit on lock file contention: no lock file specified")
|
return errors.New("cannot exit on lock file contention: no lock file specified")
|
||||||
}
|
}
|
||||||
|
if err := checkPermissions(); err != nil {
|
||||||
|
glog.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
done := make(chan struct{})
|
done := make(chan struct{})
|
||||||
if s.LockFilePath != "" {
|
if s.LockFilePath != "" {
|
||||||
@ -325,15 +336,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
|
|||||||
glog.Errorf("unable to register configz: %s", err)
|
glog.Errorf("unable to register configz: %s", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// check if we have CAP_SYS_ADMIN to setgroup properly
|
|
||||||
pid, err := capability.NewPid(os.Getpid())
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
|
|
||||||
return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
|
|
||||||
}
|
|
||||||
|
|
||||||
if kcfg == nil {
|
if kcfg == nil {
|
||||||
cfg, err := UnsecuredKubeletConfig(s)
|
cfg, err := UnsecuredKubeletConfig(s)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user