github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Fix NoNewPrivs and also allow remote runtime to provide the support.

Browse Source
This commit is contained in:
Lantao Liu 2017-08-25 18:10:57 +00:00
parent cb6f32e8ba
commit b760fa95e5
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/kubelet/lifecycle/handlers.go
View File

@ -187,6 +187,11 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
return PodAdmitResult{Admit: true}
}
// Always admit for remote runtime.
if a.Runtime.Type() == kubetypes.RemoteContainerRuntime {
return PodAdmitResult{Admit: true}
}
// Make sure it is either docker or rkt runtimes.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime {
return PodAdmitResult{
@ -196,7 +201,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
}
}
if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
if a.Runtime.Type() == kubetypes.DockerContainerRuntime {
// Make sure docker api version is valid.
rversion, err := a.Runtime.APIVersion()
if err != nil {
@ -206,7 +211,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
}
v, err := rversion.Compare("1.23")
v, err := rversion.Compare("1.23.0")
if err != nil {
return PodAdmitResult{
Admit: false,