Merge pull request #27598 from xiangpengzhao/optimize_canRunPod

Automatic merge from submit-queue

Refactor func canRunPod

After refactoring, we only need to check `if pod.Spec.SecurityContext == nil` once. The logic is a bit clearer.
This commit is contained in:
k8s-merge-robot 2016-06-26 19:41:09 -07:00 committed by GitHub
commit d744fd411f

View File

@ -27,7 +27,24 @@ import (
// Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *api.Pod) error {
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork {
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
}
}
}
if pod.Spec.SecurityContext == nil {
return nil
}
if pod.Spec.SecurityContext.HostNetwork {
allowed, err := allowHostNetwork(pod)
if err != nil {
return err
@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
}
}
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
if pod.Spec.SecurityContext.HostPID {
allowed, err := allowHostPID(pod)
if err != nil {
return err
@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
}
}
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
if pod.Spec.SecurityContext.HostIPC {
allowed, err := allowHostIPC(pod)
if err != nil {
return err
@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
}
}
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil
}