From 8b1b9120c6031f4b6f6919955cd81418470694b3 Mon Sep 17 00:00:00 2001
From: Yifan Gu <yifan.gu@coreos.com>
Date: Fri, 24 Jun 2016 16:33:12 -0700
Subject: [PATCH] rkt: Fix the 'privileged' check when stage1 annotation is
 provided.

Previously when stage1 annotation is provided, we only checks if
the kubelet allows privileged, which is not useful as that is a global
setting.

Instead, we should check if the pod has explicitly set the privileged
security context to 'true'.
---
 pkg/kubelet/rkt/rkt.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkg/kubelet/rkt/rkt.go b/pkg/kubelet/rkt/rkt.go
index 8b04c74221f..92408033ffe 100644
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -42,7 +42,6 @@ import (
 	"golang.org/x/net/context"
 	"google.golang.org/grpc"
 	"k8s.io/kubernetes/pkg/api"
-	"k8s.io/kubernetes/pkg/capabilities"
 	"k8s.io/kubernetes/pkg/client/record"
 	"k8s.io/kubernetes/pkg/credentialprovider"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
@@ -733,7 +732,7 @@ func (r *Runtime) makeContainerLogMount(opts *kubecontainer.RunContainerOptions,
 }
 
 func (r *Runtime) newAppcRuntimeApp(pod *api.Pod, podIP string, c api.Container, requiresPrivileged bool, pullSecrets []api.Secret, manifest *appcschema.PodManifest) error {
-	if requiresPrivileged && !capabilities.Get().AllowPrivileged {
+	if requiresPrivileged && !securitycontext.HasPrivilegedRequest(&c) {
 		return fmt.Errorf("cannot make %q: running a custom stage1 requires a privileged security context", format.Pod(pod))
 	}
 	if err, _ := r.imagePuller.PullImage(pod, &c, pullSecrets); err != nil {