Add HostNetworking container option to API.
This allows a container to run within the same networking namespace as the host. This will be locked down by default using a flag on the master and nodes (similar to how privileged is handled today).
This commit is contained in:
Victor Marmol
@@ -650,6 +650,20 @@ func validateDNSPolicy(dnsPolicy *api.DNSPolicy) errs.ValidationErrorList {
|
||||
return allErrors
|
||||
}
|
||||
|
||||
func validateHostNetwork(hostNetwork bool, containers []api.Container) errs.ValidationErrorList {
|
||||
allErrors := errs.ValidationErrorList{}
|
||||
if hostNetwork {
|
||||
for _, container := range containers {
|
||||
for _, port := range container.Ports {
|
||||
if port.HostPort != port.ContainerPort {
|
||||
allErrors = append(allErrors, errs.NewFieldInvalid("containerPort", port.ContainerPort, "containerPort must match hostPort if hostNetwork is set to true"))
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return allErrors
|
||||
}
|
||||
|
||||
// ValidatePod tests if required fields in the pod are set.
|
||||
func ValidatePod(pod *api.Pod) errs.ValidationErrorList {
|
||||
allErrs := errs.ValidationErrorList{}
|
||||
@@ -672,6 +686,7 @@ func ValidatePodSpec(spec *api.PodSpec) errs.ValidationErrorList {
|
||||
allErrs = append(allErrs, validateRestartPolicy(&spec.RestartPolicy).Prefix("restartPolicy")...)
|
||||
allErrs = append(allErrs, validateDNSPolicy(&spec.DNSPolicy).Prefix("dnsPolicy")...)
|
||||
allErrs = append(allErrs, ValidateLabels(spec.NodeSelector, "nodeSelector")...)
|
||||
allErrs = append(allErrs, validateHostNetwork(spec.HostNetwork, spec.Containers).Prefix("hostNetwork")...)
|
||||
return allErrs
|
||||
}
|
||||
|
||||
|
||||
@@ -712,6 +712,16 @@ func TestValidatePodSpec(t *testing.T) {
|
||||
Host: "foobar",
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
},
|
||||
{ // Populate HostNetwork.
|
||||
Containers: []api.Container{
|
||||
{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", Ports: []api.ContainerPort{
|
||||
{HostPort: 8080, ContainerPort: 8080, Protocol: "TCP"}},
|
||||
},
|
||||
},
|
||||
HostNetwork: true,
|
||||
RestartPolicy: api.RestartPolicyAlways,
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
},
|
||||
}
|
||||
for i := range successCases {
|
||||
if errs := ValidatePodSpec(&successCases[i]); len(errs) != 0 {
|
||||
@@ -745,6 +755,16 @@ func TestValidatePodSpec(t *testing.T) {
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
Containers: []api.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent"}},
|
||||
},
|
||||
"with hostNetwork hostPort not equal to containerPort": {
|
||||
Containers: []api.Container{
|
||||
{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", Ports: []api.ContainerPort{
|
||||
{HostPort: 8080, ContainerPort: 2600, Protocol: "TCP"}},
|
||||
},
|
||||
},
|
||||
HostNetwork: true,
|
||||
RestartPolicy: api.RestartPolicyAlways,
|
||||
DNSPolicy: api.DNSClusterFirst,
|
||||
},
|
||||
}
|
||||
for k, v := range failureCases {
|
||||
if errs := ValidatePodSpec(&v); len(errs) == 0 {
|
||||
|
||||
Reference in New Issue
Block a user