From b760fa95e5832b983b8fc331c6c7032a71b9e3ca Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Fri, 25 Aug 2017 18:10:57 +0000
Subject: [PATCH] Fix NoNewPrivs and also allow remote runtime to provide the
 support.

---
 pkg/kubelet/lifecycle/handlers.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/kubelet/lifecycle/handlers.go b/pkg/kubelet/lifecycle/handlers.go
index 3ee925cf25a..8d606796ae7 100644
--- a/pkg/kubelet/lifecycle/handlers.go
+++ b/pkg/kubelet/lifecycle/handlers.go
@@ -187,6 +187,11 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 		return PodAdmitResult{Admit: true}
 	}
 
+	// Always admit for remote runtime.
+	if a.Runtime.Type() == kubetypes.RemoteContainerRuntime {
+		return PodAdmitResult{Admit: true}
+	}
+
 	// Make sure it is either docker or rkt runtimes.
 	if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime {
 		return PodAdmitResult{
@@ -196,7 +201,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 		}
 	}
 
-	if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
+	if a.Runtime.Type() == kubetypes.DockerContainerRuntime {
 		// Make sure docker api version is valid.
 		rversion, err := a.Runtime.APIVersion()
 		if err != nil {
@@ -206,7 +211,7 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
 				Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
 			}
 		}
-		v, err := rversion.Compare("1.23")
+		v, err := rversion.Compare("1.23.0")
 		if err != nil {
 			return PodAdmitResult{
 				Admit:   false,