Add HostNetworkSources capability to limit use of HostNetwork.

pkg/kubelet/kubelet.go

@@ -1007,6 +1007,20 @@ const (
 	PodInfraContainerImage = "kubernetes/pause:latest"
 )
 
+// Determined whether the specified pod is allowed to use host networking
+func allowHostNetwork(pod *api.Pod) (bool, error) {
+	podSource, err := getPodSource(pod)
+	if err != nil {
+		return false, err
+	}
+	for _, source := range capabilities.Get().HostNetworkSources {
+		if source == podSource {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
 // createPodInfraContainer starts the pod infra container for a pod. Returns the docker container ID of the newly created container.
 func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID, error) {
 	var ports []api.ContainerPort
@@ -1040,11 +1054,21 @@ func (kl *Kubelet) createPodInfraContainer(pod *api.Pod) (dockertools.DockerID,
 	if ref != nil {
 		kl.recorder.Eventf(ref, "pulled", "Successfully pulled image %q", container.Image)
 	}
-	// TODO(vmarmol): Auth.
+
+	// Use host networking if specified and allowed.
 	netNamespace := ""
 	if pod.Spec.HostNetwork {
+		allowed, err := allowHostNetwork(pod)
+		if err != nil {
+			return "", err
+		}
+		if !allowed {
+			return "", fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
+		}
+
 		netNamespace = "host"
 	}
+
 	id, err := kl.runContainer(pod, container, nil, netNamespace, "")
 	if err != nil {
 		return "", err

pkg/kubelet/kubelet_test.go

@@ -35,6 +35,7 @@ import (
 
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/cadvisor"
@@ -3456,3 +3457,61 @@ func TestDoNotCacheStatusForStaticPods(t *testing.T) {
 		t.Errorf("unexpected status %#v found for static pod %q", status, podFullName)
 	}
 }
+
+func TestHostNetworkAllowed(t *testing.T) {
+	testKubelet := newTestKubelet(t)
+	kubelet := testKubelet.kubelet
+
+	capabilities.SetForTests(capabilities.Capabilities{
+		HostNetworkSources: []string{ApiserverSource, FileSource},
+	})
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{
+			UID:       "12345678",
+			Name:      "foo",
+			Namespace: "new",
+			Annotations: map[string]string{
+				ConfigSourceAnnotationKey: FileSource,
+			},
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "foo"},
+			},
+			HostNetwork: true,
+		},
+	}
+	_, err := kubelet.createPodInfraContainer(pod)
+	if err != nil {
+		t.Errorf("expected pod infra creation to succeed: %v", err)
+	}
+}
+
+func TestHostNetworkDisallowed(t *testing.T) {
+	testKubelet := newTestKubelet(t)
+	kubelet := testKubelet.kubelet
+
+	capabilities.SetForTests(capabilities.Capabilities{
+		HostNetworkSources: []string{},
+	})
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{
+			UID:       "12345678",
+			Name:      "foo",
+			Namespace: "new",
+			Annotations: map[string]string{
+				ConfigSourceAnnotationKey: FileSource,
+			},
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "foo"},
+			},
+			HostNetwork: true,
+		},
+	}
+	_, err := kubelet.createPodInfraContainer(pod)
+	if err == nil {
+		t.Errorf("expected pod infra creation to fail")
+	}
+}

pkg/kubelet/types.go

@@ -16,7 +16,11 @@ limitations under the License.
 
 package kubelet
 
-import "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+import (
+	"fmt"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+)
 
 const ConfigSourceAnnotationKey = "kubernetes.io/config.source"
 const ConfigMirrorAnnotationKey = "kubernetes.io/config.mirror"
@@ -64,3 +68,22 @@ type PodUpdate struct {
 	Op     PodOperation
 	Source string
 }
+
+// Gets all validated sources from the specified sources.
+func GetValidatedSources(sources []string) ([]string, error) {
+	validated := make([]string, 0, len(sources))
+	for _, source := range sources {
+		switch source {
+		case AllSource:
+			return []string{FileSource, HTTPSource, ApiserverSource}, nil
+		case FileSource, HTTPSource, ApiserverSource:
+			validated = append(validated, source)
+			break
+		case "":
+			break
+		default:
+			return []string{}, fmt.Errorf("unknown pod source %q", source)
+		}
+	}
+	return validated, nil
+}

pkg/kubelet/types_test.go

@@ -0,0 +1,44 @@
+/*
+Copyright 2014 Google Inc. All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kubelet
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetValidatedSources(t *testing.T) {
+	// Empty.
+	sources, err := GetValidatedSources([]string{""})
+	require.NoError(t, err)
+	require.Len(t, sources, 0)
+
+	// Success.
+	sources, err = GetValidatedSources([]string{FileSource, ApiserverSource})
+	require.NoError(t, err)
+	require.Len(t, sources, 2)
+
+	// All.
+	sources, err = GetValidatedSources([]string{AllSource})
+	require.NoError(t, err)
+	require.Len(t, sources, 3)
+
+	// Unknown source.
+	sources, err = GetValidatedSources([]string{"taco"})
+	require.Error(t, err)
+}

pkg/kubelet/util.go

@@ -27,9 +27,10 @@ import (
 )
 
 // TODO: move this into pkg/capabilities
-func SetupCapabilities(allowPrivileged bool) {
+func SetupCapabilities(allowPrivileged bool, hostNetworkSources []string) {
 	capabilities.Initialize(capabilities.Capabilities{
-		AllowPrivileged: allowPrivileged,
+		AllowPrivileged:    allowPrivileged,
+		HostNetworkSources: hostNetworkSources,
 	})
 }