fix no-new-privileges on windows

This commit is contained in:
wawa0210 2020-07-15 01:27:22 +08:00 committed by Jordan Liggitt
parent 886727a4c0
commit aea228f5dd
4 changed files with 17 additions and 6 deletions

View File

@ -666,12 +666,6 @@ func (ds *dockerService) makeSandboxDockerConfig(c *runtimeapi.PodSandboxConfig,
return createConfig, nil
}
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
return []string{"no-new-privileges"}
}
// networkNamespaceMode returns the network runtimeapi.NamespaceMode for this container.
// Supports: POD, NODE
func networkNamespaceMode(container *dockertypes.ContainerJSON) runtimeapi.NamespaceMode {

View File

@ -48,6 +48,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return seccompSecurityOpts, nil
}
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// run sandbox with no-new-privileges and using runtime/default
// sending no "seccomp=" means docker will use default profile
return []string{"no-new-privileges"}
}
func getSeccompDockerOpts(seccompProfile string) ([]dockerOpt, error) {
if seccompProfile == "" || seccompProfile == v1.SeccompProfileNameUnconfined {
// return early the default

View File

@ -36,6 +36,11 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return nil, nil
}
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
klog.Warningf("getSandBoxSecurityOpts is unsupported in this build")
return nil
}
func (ds *dockerService) updateCreateConfig(
createConfig *dockertypes.ContainerCreateConfig,
config *runtimeapi.ContainerConfig,

View File

@ -43,6 +43,12 @@ func (ds *dockerService) getSecurityOpts(seccompProfile string, separator rune)
return nil, nil
}
func (ds *dockerService) getSandBoxSecurityOpts(separator rune) []string {
// Currently, Windows container does not support privileged mode, so no no-new-privileges flag can be returned directly like Linux
// If the future Windows container has new support for privileged mode, we can adjust it here
return nil
}
// applyExperimentalCreateConfig applys experimental configures from sandbox annotations.
func applyExperimentalCreateConfig(createConfig *dockertypes.ContainerCreateConfig, annotations map[string]string) {
if kubeletapis.ShouldIsolatedByHyperV(annotations) {