github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check Pod privileged container

Browse Source
This commit is contained in:
Deyuan Deng
2015-05-09 17:17:36 -04:00
committed by Deyuan Deng
parent 738f403eea
commit 2f7183cba5
4 changed files with 65 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/kubelet/util.go
View File

@@ -22,6 +22,7 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
"github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource"
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
"github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext"
cadvisorApi "github.com/google/cadvisor/info/v1"
)
@@ -48,7 +49,14 @@ func canRunPod(pod *api.Pod) error {
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
}
}
// TODO(vmarmol): Check Privileged too.
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil
}