mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #27598 from xiangpengzhao/optimize_canRunPod
Automatic merge from submit-queue Refactor func canRunPod After refactoring, we only need to check `if pod.Spec.SecurityContext == nil` once. The logic is a bit clearer.
This commit is contained in:
commit
d744fd411f
@ -27,7 +27,24 @@ import (
|
||||
|
||||
// Check whether we have the capabilities to run the specified pod.
|
||||
func canRunPod(pod *api.Pod) error {
|
||||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork {
|
||||
if !capabilities.Get().AllowPrivileged {
|
||||
for _, container := range pod.Spec.Containers {
|
||||
if securitycontext.HasPrivilegedRequest(&container) {
|
||||
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
|
||||
}
|
||||
}
|
||||
for _, container := range pod.Spec.InitContainers {
|
||||
if securitycontext.HasPrivilegedRequest(&container) {
|
||||
return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if pod.Spec.SecurityContext == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if pod.Spec.SecurityContext.HostNetwork {
|
||||
allowed, err := allowHostNetwork(pod)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
|
||||
}
|
||||
}
|
||||
|
||||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
|
||||
if pod.Spec.SecurityContext.HostPID {
|
||||
allowed, err := allowHostPID(pod)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
|
||||
}
|
||||
}
|
||||
|
||||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
|
||||
if pod.Spec.SecurityContext.HostIPC {
|
||||
allowed, err := allowHostIPC(pod)
|
||||
if err != nil {
|
||||
return err
|
||||
@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
|
||||
}
|
||||
}
|
||||
|
||||
if !capabilities.Get().AllowPrivileged {
|
||||
for _, container := range pod.Spec.Containers {
|
||||
if securitycontext.HasPrivilegedRequest(&container) {
|
||||
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
|
||||
}
|
||||
}
|
||||
for _, container := range pod.Spec.InitContainers {
|
||||
if securitycontext.HasPrivilegedRequest(&container) {
|
||||
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user