From 9c2309b7cbbba8cbe5dad7d8b0d6e705ecffd724 Mon Sep 17 00:00:00 2001 From: Dong Liu Date: Thu, 25 May 2017 14:19:27 +0800 Subject: [PATCH] Add os dependent getSecurityOpts helper method. --- pkg/kubelet/dockershim/docker_container.go | 7 +++--- pkg/kubelet/dockershim/docker_sandbox.go | 2 +- pkg/kubelet/dockershim/helpers_linux.go | 16 ++++++++++++++ pkg/kubelet/dockershim/helpers_unsupported.go | 10 +++++++++ pkg/kubelet/dockershim/helpers_windows.go | 22 +++++++++++++++++++ 5 files changed, 52 insertions(+), 5 deletions(-) diff --git a/pkg/kubelet/dockershim/docker_container.go b/pkg/kubelet/dockershim/docker_container.go index 2c63cc78e27..f48373d2d7f 100644 --- a/pkg/kubelet/dockershim/docker_container.go +++ b/pkg/kubelet/dockershim/docker_container.go @@ -184,13 +184,12 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeapi } hc.Resources.Devices = devices - // Apply seccomp options. - seccompSecurityOpts, err := getSeccompSecurityOpts(config.Metadata.Name, sandboxConfig, ds.seccompProfileRoot, securityOptSep) + securityOpts, err := ds.getSecurityOpts(config.Metadata.Name, sandboxConfig, securityOptSep) if err != nil { - return "", fmt.Errorf("failed to generate seccomp security options for container %q: %v", config.Metadata.Name, err) + return "", fmt.Errorf("failed to generate security options for container %q: %v", config.Metadata.Name, err) } - hc.SecurityOpt = append(hc.SecurityOpt, seccompSecurityOpts...) + hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...) createConfig.HostConfig = hc createResp, err := ds.client.CreateContainer(createConfig) if err != nil { diff --git a/pkg/kubelet/dockershim/docker_sandbox.go b/pkg/kubelet/dockershim/docker_sandbox.go index 1f6b9b426a2..bcac5d5c431 100644 --- a/pkg/kubelet/dockershim/docker_sandbox.go +++ b/pkg/kubelet/dockershim/docker_sandbox.go @@ -537,7 +537,7 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig, } // Set security options. - securityOpts, err := getSeccompSecurityOpts(sandboxContainerName, c, ds.seccompProfileRoot, securityOptSep) + securityOpts, err := ds.getSecurityOpts(sandboxContainerName, c, securityOptSep) if err != nil { return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err) } diff --git a/pkg/kubelet/dockershim/helpers_linux.go b/pkg/kubelet/dockershim/helpers_linux.go index 8b762f545d6..4b46376a56d 100644 --- a/pkg/kubelet/dockershim/helpers_linux.go +++ b/pkg/kubelet/dockershim/helpers_linux.go @@ -18,6 +18,22 @@ limitations under the License. package dockershim +import ( + "fmt" + + runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1" +) + func DefaultMemorySwap() int64 { return 0 } + +func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) { + // Apply seccomp options. + seccompSecurityOpts, err := getSeccompSecurityOpts(containerName, sandboxConfig, ds.seccompProfileRoot, separator) + if err != nil { + return nil, fmt.Errorf("failed to generate seccomp security options for container %q: %v", containerName, err) + } + + return seccompSecurityOpts, nil +} diff --git a/pkg/kubelet/dockershim/helpers_unsupported.go b/pkg/kubelet/dockershim/helpers_unsupported.go index f82bfeacc09..e707046cb53 100644 --- a/pkg/kubelet/dockershim/helpers_unsupported.go +++ b/pkg/kubelet/dockershim/helpers_unsupported.go @@ -18,6 +18,16 @@ limitations under the License. package dockershim +import ( + "github.com/golang/glog" + runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1" +) + func DefaultMemorySwap() int64 { return -1 } + +func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) { + glog.Warningf("getSecurityOpts is unsupported in this build") + return nil, nil +} diff --git a/pkg/kubelet/dockershim/helpers_windows.go b/pkg/kubelet/dockershim/helpers_windows.go index c5c4af13ac5..a8687b7ea49 100644 --- a/pkg/kubelet/dockershim/helpers_windows.go +++ b/pkg/kubelet/dockershim/helpers_windows.go @@ -18,6 +18,28 @@ limitations under the License. package dockershim +import ( + "github.com/golang/glog" + "k8s.io/kubernetes/pkg/api/v1" + runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1" +) + func DefaultMemorySwap() int64 { return 0 } + +func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) { + hasSeccompSetting := false + annotations := sandboxConfig.GetAnnotations() + if _, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; !ok { + _, hasSeccompSetting = annotations[v1.SeccompPodAnnotationKey] + } else { + hasSeccompSetting = true + } + + if hasSeccompSetting { + glog.Warningf("seccomp annotations found, but it is not supported on windows") + } + + return nil, nil +}