mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
fix no-new-privileges on windows
This commit is contained in:
parent
886727a4c0
commit
aea228f5dd
@ -666,12 +666,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
|
||||
return createConfig, nil
|
||||
}
|
||||
|
||||
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
|
||||
// run sandbox with no-new-privileges and using runtime/default
|
||||
// sending no "seccomp=" means docker will use default profile
|
||||
return []string{"no-new-privileges"}
|
||||
}
|
||||
|
||||
// networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container.
|
||||
// Supports: POD, NODE
|
||||
func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode {
|
||||
|
@ -48,6 +48,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
|
||||
return seccompSecurityOpts, nil
|
||||
}
|
||||
|
||||
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
|
||||
// run sandbox with no-new-privileges and using runtime/default
|
||||
// sending no "seccomp=" means docker will use default profile
|
||||
return []string{"no-new-privileges"}
|
||||
}
|
||||
|
||||
func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
|
||||
if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined {
|
||||
// return early the default
|
||||
|
@ -36,6 +36,11 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
|
||||
klog.Warningf("getSandBoxSecurityOpts is unsupported in this build")
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ds *dockerService) updateCreateConfig(
|
||||
createConfig *dockertypes.ContainerCreateConfig,
|
||||
config *runtimeapi.ContainerConfig,
|
||||
|
@ -43,6 +43,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
|
||||
// Currently, Windows container does not support privileged mode, so no no-new-privileges flag can be returned directly like Linux
|
||||
// If the future Windows container has new support for privileged mode, we can adjust it here
|
||||
return nil
|
||||
}
|
||||
|
||||
// applyExperimentalCreateConfig applys experimental configures from sandbox annotations.
|
||||
func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) {
|
||||
if kubeletapis.ShouldIsolatedByHyperV(annotations) {
|
||||
|
Loading…
Reference in New Issue
Block a user