mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-30 15:05:27 +00:00
Merge pull request #28060 from yifan-gu/fix_stage1_anno
Automatic merge from submit-queue rkt: Fix the 'privileged' check when stage1 annotation is provided. Previously when stage1 annotation is provided, we only checks if the kubelet allows privileged, which is not useful as that is a global setting. Instead, we should check if the pod has explicitly set the privileged security context to 'true'. cc @kubernetes/sig-rktnetes @kubernetes/sig-node
This commit is contained in:
commit
f33188a0d0
@ -42,7 +42,6 @@ import (
|
||||
"golang.org/x/net/context"
|
||||
"google.golang.org/grpc"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/capabilities"
|
||||
"k8s.io/kubernetes/pkg/client/record"
|
||||
"k8s.io/kubernetes/pkg/credentialprovider"
|
||||
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
|
||||
@ -733,7 +732,7 @@ func (r *Runtime) makeContainerLogMount(opts *kubecontainer.RunContainerOptions,
|
||||
}
|
||||
|
||||
func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container, requiresPrivileged bool, pullSecrets []api.Secret, manifest *appcschema.PodManifest) error {
|
||||
if requiresPrivileged && !capabilities.Get().AllowPrivileged {
|
||||
if requiresPrivileged && !securitycontext.HasPrivilegedRequest(&c) {
|
||||
return fmt.Errorf("cannot make %q: running a custom stage1 requires a privileged security context", format.Pod(pod))
|
||||
}
|
||||
if err, _ := r.imagePuller.PullImage(pod, &c, pullSecrets); err != nil {
|
||||
|
Loading…
Reference in New Issue
Block a user