Add os dependent getSecurityOpts helper method.

2025-08-08 03:33:56 +00:00 · 2017-05-25 14:19:27 +08:00 · 2017-05-25 14:19:27 +08:00 · 9c2309b7cb
commit 9c2309b7cb
parent 33c34f0ae4
5 changed files with 52 additions and 5 deletions
--- a/pkg/kubelet/dockershim/docker_container.go
+++ b/pkg/kubelet/dockershim/docker_container.go
@ -184,13 +184,12 @@ func (ds *dockerService) CreateContainer(podSandboxID string, config *runtimeapi
 	}
 	hc.Resources.Devices = devices

-	// Apply seccomp options.
-	seccompSecurityOpts, err := getSeccompSecurityOpts(config.Metadata.Name, sandboxConfig, ds.seccompProfileRoot, securityOptSep)
+	securityOpts, err := ds.getSecurityOpts(config.Metadata.Name, sandboxConfig, securityOptSep)
 	if err != nil {
-		return "", fmt.Errorf("failed to generate seccomp security options for container %q: %v", config.Metadata.Name, err)
+		return "", fmt.Errorf("failed to generate security options for container %q: %v", config.Metadata.Name, err)
 	}
-	hc.SecurityOpt = append(hc.SecurityOpt, seccompSecurityOpts...)

+	hc.SecurityOpt = append(hc.SecurityOpt, securityOpts...)
 	createConfig.HostConfig = hc
 	createResp, err := ds.client.CreateContainer(createConfig)
 	if err != nil {
--- a/pkg/kubelet/dockershim/docker_sandbox.go
+++ b/pkg/kubelet/dockershim/docker_sandbox.go
@ -537,7 +537,7 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
 	}

 	// Set security options.
-	securityOpts, err := getSeccompSecurityOpts(sandboxContainerName, c, ds.seccompProfileRoot, securityOptSep)
+	securityOpts, err := ds.getSecurityOpts(sandboxContainerName, c, securityOptSep)
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate sandbox security options for sandbox %q: %v", c.Metadata.Name, err)
 	}
--- a/pkg/kubelet/dockershim/helpers_linux.go
+++ b/pkg/kubelet/dockershim/helpers_linux.go
@ -18,6 +18,22 @@ limitations under the License.

 package dockershim

+import (
+	"fmt"
+
+	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
+)
+
 func DefaultMemorySwap() int64 {
 	return 0
 }
+
+func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
+	// Apply seccomp options.
+	seccompSecurityOpts, err := getSeccompSecurityOpts(containerName, sandboxConfig, ds.seccompProfileRoot, separator)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate seccomp security options for container %q: %v", containerName, err)
+	}
+
+	return seccompSecurityOpts, nil
+}
--- a/pkg/kubelet/dockershim/helpers_unsupported.go
+++ b/pkg/kubelet/dockershim/helpers_unsupported.go
@ -18,6 +18,16 @@ limitations under the License.

 package dockershim

+import (
+	"github.com/golang/glog"
+	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
+)
+
 func DefaultMemorySwap() int64 {
 	return -1
 }
+
+func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
+	glog.Warningf("getSecurityOpts is unsupported in this build")
+	return nil, nil
+}
--- a/pkg/kubelet/dockershim/helpers_windows.go
+++ b/pkg/kubelet/dockershim/helpers_windows.go
@ -18,6 +18,28 @@ limitations under the License.

 package dockershim

+import (
+	"github.com/golang/glog"
+	"k8s.io/kubernetes/pkg/api/v1"
+	runtimeapi "k8s.io/kubernetes/pkg/kubelet/apis/cri/v1alpha1"
+)
+
 func DefaultMemorySwap() int64 {
 	return 0
 }
+
+func (ds *dockerService) getSecurityOpts(containerName string, sandboxConfig *runtimeapi.PodSandboxConfig, separator rune) ([]string, error) {
+	hasSeccompSetting := false
+	annotations := sandboxConfig.GetAnnotations()
+	if _, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; !ok {
+		_, hasSeccompSetting = annotations[v1.SeccompPodAnnotationKey]
+	} else {
+		hasSeccompSetting = true
+	}
+
+	if hasSeccompSetting {
+		glog.Warningf("seccomp annotations found, but it is not supported on windows")
+	}
+
+	return nil, nil
+}