Merge pull request #1288 from brendandburns/privilege

Add support for privileged containers.

cmd/kubelet/kubelet.go

@@ -58,6 +58,7 @@ var (
 	dockerEndpoint     = flag.String("docker_endpoint", "", "If non-empty, use this for the docker endpoint to communicate with")
 	etcdServerList     util.StringList
 	rootDirectory      = flag.String("root_dir", defaultRootDir, "Directory path for managing kubelet files (volume mounts,etc).")
+	allowPrivileged    = flag.Bool("allow_privileged", false, "If true, allow containers to request privileged mode.")
 )
 
 func init() {
@@ -150,7 +151,8 @@ func main() {
 		cadvisorClient,
 		etcdClient,
 		*rootDirectory,
-		*syncFrequency)
+		*syncFrequency,
+		*allowPrivileged)
 
 	health.AddHealthChecker("exec", health.NewExecHealthChecker(k))
 	health.AddHealthChecker("http", health.NewHTTPHealthChecker(&http.Client{}))

pkg/api/types.go

@@ -195,6 +195,8 @@ type Container struct {
 	VolumeMounts  []VolumeMount  `yaml:"volumeMounts,omitempty" json:"volumeMounts,omitempty"`
 	LivenessProbe *LivenessProbe `yaml:"livenessProbe,omitempty" json:"livenessProbe,omitempty"`
 	Lifecycle     *Lifecycle     `yaml:"lifecycle,omitempty" json:"lifecycle,omitempty"`
+	// Optional: Default to false.
+	Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
 }
 
 // Handler defines a specific action that should be taken

pkg/api/v1beta1/types.go

@@ -205,6 +205,8 @@ type Container struct {
 	VolumeMounts  []VolumeMount  `yaml:"volumeMounts,omitempty" json:"volumeMounts,omitempty"`
 	LivenessProbe *LivenessProbe `yaml:"livenessProbe,omitempty" json:"livenessProbe,omitempty"`
 	Lifecycle     *Lifecycle     `yaml:"lifecycle,omitempty" json:"lifecycle,omitempty"`
+	// Optional: Default to false.
+	Privileged bool `json:"privileged,omitempty" yaml:"privileged,omitempty"`
 }
 
 // Handler defines a specific action that should be taken

pkg/kubelet/kubelet.go

@@ -67,7 +67,8 @@ func NewMainKubelet(
 	cc CadvisorInterface,
 	ec tools.EtcdClient,
 	rd string,
-	ri time.Duration) *Kubelet {
+	ri time.Duration,
+	privileged bool) *Kubelet {
 	return &Kubelet{
 		hostname:        hn,
 		dockerClient:    dc,
@@ -78,6 +79,7 @@ func NewMainKubelet(
 		podWorkers:      newPodWorkers(),
 		runner:          dockertools.NewDockerContainerCommandRunner(),
 		httpClient:      &http.Client{},
+		allowPrivileged: privileged,
 	}
 }
 
@@ -119,6 +121,8 @@ type Kubelet struct {
 	runner dockertools.ContainerCommandRunner
 	// Optional, client for http requests, defaults to empty client
 	httpClient httpGetInterface
+	// Optional, allow privileged containers, defaults to false
+	allowPrivileged bool
 }
 
 // Run starts the kubelet reacting to config updates
@@ -335,10 +339,17 @@ func (kl *Kubelet) runContainer(pod *Pod, container *api.Container, podVolumes v
 	if err != nil {
 		return "", err
 	}
+	privileged := false
+	if kl.allowPrivileged {
+		privileged = container.Privileged
+	} else if container.Privileged {
+		return "", fmt.Errorf("Container requested privileged mode, but it is disallowed globally.")
+	}
 	err = kl.dockerClient.StartContainer(dockerContainer.ID, &docker.HostConfig{
 		PortBindings: portBindings,
 		Binds:        binds,
 		NetworkMode:  netMode,
+		Privileged:   privileged,
 	})
 	if err == nil && container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
 		handlerErr := kl.runHandler(GetPodFullName(pod), pod.Manifest.UUID, container, container.Lifecycle.PostStart)