Add os dependent getSecurityOpts helper method.

2025-08-09 12:07:47 +00:00 · 2017-05-25 14:19:27 +08:00 · 2017-05-25 14:19:27 +08:00 · 9c2309b7cb
commit 9c2309b7cb
parent 33c34f0ae4
5 changed files with 52 additions and 5 deletions
--- a/pkg/kubelet/dockershim/docker_container.go
+++ b/pkg/kubelet/dockershim/docker_container.go
@ -184,13 +184,12 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeapi
 	}
 	hc.Resources.Devices = devices
-	// Apply seccomp options.
+	securityOpts, err := ds.getSecurityOpts(config.Metadata.Name, sandboxConfig, securityOptSep)
 	seccompSecurityOpts, err := getSeccompSecurityOpts(config.Metadata.Name, sandboxConfig, ds.seccompProfileRoot, securityOptSep)
 	if err != nil {
-		return "", fmt.Errorf("failed to generate seccomp security options for container %q: %v", config.Metadata.Name, err)
+		return "", fmt.Errorf("failed to generate security options for container %q: %v", config.Metadata.Name, err)
 	}
 	hc.SecurityOpt = append(hc.SecurityOpt, seccompSecurityOpts...)
 	hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...)
 	createConfig.HostConfig = hc
 	createResp, err := ds.client.CreateContainer(createConfig)
 	if err != nil {
--- a/pkg/kubelet/dockershim/docker_sandbox.go
+++ b/pkg/kubelet/dockershim/docker_sandbox.go
@ -537,7 +537,7 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
 	}
 	// Set security options.
-	securityOpts, err := getSeccompSecurityOpts(sandboxContainerName, c, ds.seccompProfileRoot, securityOptSep)
+	securityOpts, err := ds.getSecurityOpts(sandboxContainerName, c, securityOptSep)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err)
 	}
--- a/pkg/kubelet/dockershim/helpers_linux.go
+++ b/pkg/kubelet/dockershim/helpers_linux.go
@ -18,6 +18,22 @@ limitations under the License.
 package dockershim
 import (
 	"fmt"
 	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
 )
 func DefaultMemorySwap() int64 {
 	return 0
 }
 func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
 	// Apply seccomp options.
 	seccompSecurityOpts, err := getSeccompSecurityOpts(containerName, sandboxConfig, ds.seccompProfileRoot, separator)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate seccomp security options for container %q: %v", containerName, err)
 	}
 	return seccompSecurityOpts, nil
 }
--- a/pkg/kubelet/dockershim/helpers_unsupported.go
+++ b/pkg/kubelet/dockershim/helpers_unsupported.go
@ -18,6 +18,16 @@ limitations under the License.
 package dockershim
 import (
 	"github.com/golang/glog"
 	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
 )
 func DefaultMemorySwap() int64 {
 	return -1
 }
 func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
 	glog.Warningf("getSecurityOpts is unsupported in this build")
 	return nil, nil
 }
--- a/pkg/kubelet/dockershim/helpers_windows.go
+++ b/pkg/kubelet/dockershim/helpers_windows.go
@ -18,6 +18,28 @@ limitations under the License.
 package dockershim
 import (
 	"github.com/golang/glog"
 	"k8s.io/kubernetes/pkg/api/v1"
 	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
 )
 func DefaultMemorySwap() int64 {
 	return 0
 }
 func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
 	hasSeccompSetting := false
 	annotations := sandboxConfig.GetAnnotations()
 	if _, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; !ok {
 		_, hasSeccompSetting = annotations[v1.SeccompPodAnnotationKey]
 	} else {
 		hasSeccompSetting = true
 	}
 	if hasSeccompSetting {
 		glog.Warningf("seccomp annotations found, but it is not supported on windows")
 	}
 	return nil, nil
 }