Merge pull request #30466 from vishh/kubelet-as-root

Automatic merge from submit-queue [Kubelet] Check if kubelet is running as uid 0 Related to #30176
2025-07-22 19:31:44 +00:00 · 2016-08-15 15:04:59 -07:00 · 2016-08-15 15:04:59 -07:00 · 921c4604b1
commit 921c4604b1
parent 967dc4234a c75b61ed48
1 changed files with 12 additions and 10 deletions
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -35,7 +35,6 @@ import (
 	"github.com/golang/glog"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/syndtr/gocapability/capability"
 	"k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/api"
@ -301,10 +300,22 @@ func Run(s *options.KubeletServer, kcfg *KubeletConfig) error {
 	return err
 }
 func checkPermissions() error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("Kubelet needs to run as uid `0`. It is being run as %d", uid)
 	}
 	// TODO: Check if kubelet is running in the `initial` user namespace.
 	// http://man7.org/linux/man-pages/man7/user_namespaces.7.html
 	return nil
 }
 func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
 	if s.ExitOnLockContention && s.LockFilePath == "" {
 		return errors.New("cannot exit on lock file contention: no lock file specified")
 	}
 	if err := checkPermissions(); err != nil {
 		glog.Error(err)
 	}
 	done := make(chan struct{})
 	if s.LockFilePath != "" {
@ -325,15 +336,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
 		glog.Errorf("unable to register configz: %s", err)
 	}
 	// check if we have CAP_SYS_ADMIN to setgroup properly
 	pid, err := capability.NewPid(os.Getpid())
 	if err != nil {
 		return err
 	}
 	if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
 		return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
 	}
 	if kcfg == nil {
 		cfg, err := UnsecuredKubeletConfig(s)
 		if err != nil {