github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #27598 from xiangpengzhao/optimize_canRunPod

Browse Source 
Automatic merge from submit-queue

Refactor func canRunPod

After refactoring, we only need to check `if pod.Spec.SecurityContext == nil` once. The logic is a bit clearer.
This commit is contained in:
k8s-merge-robot 2016-06-26 19:41:09 -07:00 committed by GitHub
commit d744fd411f
1 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
pkg/kubelet/util.go
View File

@ -27,7 +27,24 @@ import (
// Check whether we have the capabilities to run the specified pod. // Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *api.Pod) error { func canRunPod(pod *api.Pod) error {
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork { if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
}
}
}
if pod.Spec.SecurityContext == nil {
return nil
}
if pod.Spec.SecurityContext.HostNetwork {
allowed, err := allowHostNetwork(pod) allowed, err := allowHostNetwork(pod)
if err != nil { if err != nil {
return err return err
@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID { if pod.Spec.SecurityContext.HostPID {
allowed, err := allowHostPID(pod) allowed, err := allowHostPID(pod)
if err != nil { if err != nil {
return err return err
@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC { if pod.Spec.SecurityContext.HostIPC {
allowed, err := allowHostIPC(pod) allowed, err := allowHostIPC(pod)
if err != nil { if err != nil {
return err return err
@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil return nil
} }