github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Admit NoNewPrivs for remote and rkt runtimes

Browse Source
This commit is contained in:
Pengfei Ni 2017-08-26 20:24:56 +08:00
parent 6368c1fc82
commit fc8736fd97
1 changed files with 19 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
pkg/kubelet/lifecycle/handlers.go
View File

@ -187,45 +187,34 @@ func (a *noNewPrivsAdmitHandler) Admit(attrs *PodAdmitAttributes) PodAdmitResult
return PodAdmitResult{Admit: true} return PodAdmitResult{Admit: true}
} }
// Always admit for remote runtime. // Always admit runtimes except docker.
if a.Runtime.Type() == kubetypes.RemoteContainerRuntime { if a.Runtime.Type() != kubetypes.DockerContainerRuntime {
return PodAdmitResult{Admit: true} return PodAdmitResult{Admit: true}
} }
// Make sure it is either docker or rkt runtimes. // Make sure docker api version is valid.
if a.Runtime.Type() != kubetypes.DockerContainerRuntime && a.Runtime.Type() != kubetypes.RktContainerRuntime { rversion, err := a.Runtime.APIVersion()
if err != nil {
return PodAdmitResult{ return PodAdmitResult{
Admit: false, Admit: false,
Reason: "NoNewPrivs", Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %s runtime not supported", a.Runtime.Type()), Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
} }
} }
v, err := rversion.Compare("1.23.0")
if a.Runtime.Type() == kubetypes.DockerContainerRuntime { if err != nil {
// Make sure docker api version is valid. return PodAdmitResult{
rversion, err := a.Runtime.APIVersion() Admit: false,
if err != nil { Reason: "NoNewPrivs",
return PodAdmitResult{ Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err),
}
} }
v, err := rversion.Compare("1.23.0") }
if err != nil { // If the version is less than 1.23 it will return -1 above.
return PodAdmitResult{ if v == -1 {
Admit: false, return PodAdmitResult{
Reason: "NoNewPrivs", Admit: false,
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: %v", err), Reason: "NoNewPrivs",
} Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
// If the version is less than 1.23 it will return -1 above.
if v == -1 {
return PodAdmitResult{
Admit: false,
Reason: "NoNewPrivs",
Message: fmt.Sprintf("Cannot enforce NoNewPrivs: docker runtime API version %q must be greater than or equal to 1.23", rversion.String()),
}
} }
} }