Merge pull request #30466 from vishh/kubelet-as-root
Automatic merge from submit-queue [Kubelet] Check if kubelet is running as uid 0 Related to #30176
This commit is contained in:
@@ -35,7 +35,6 @@ import (
|
||||
"github.com/golang/glog"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/pflag"
|
||||
"github.com/syndtr/gocapability/capability"
|
||||
|
||||
"k8s.io/kubernetes/cmd/kubelet/app/options"
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
@@ -301,10 +300,22 @@ func Run(s *options.KubeletServer, kcfg *KubeletConfig) error {
|
||||
return err
|
||||
}
|
||||
|
||||
func checkPermissions() error {
|
||||
if uid := os.Getuid(); uid != 0 {
|
||||
return fmt.Errorf("Kubelet needs to run as uid `0`. It is being run as %d", uid)
|
||||
}
|
||||
// TODO: Check if kubelet is running in the `initial` user namespace.
|
||||
// http://man7.org/linux/man-pages/man7/user_namespaces.7.html
|
||||
return nil
|
||||
}
|
||||
|
||||
func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
|
||||
if s.ExitOnLockContention && s.LockFilePath == "" {
|
||||
return errors.New("cannot exit on lock file contention: no lock file specified")
|
||||
}
|
||||
if err := checkPermissions(); err != nil {
|
||||
glog.Error(err)
|
||||
}
|
||||
|
||||
done := make(chan struct{})
|
||||
if s.LockFilePath != "" {
|
||||
@@ -325,15 +336,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
|
||||
glog.Errorf("unable to register configz: %s", err)
|
||||
}
|
||||
|
||||
// check if we have CAP_SYS_ADMIN to setgroup properly
|
||||
pid, err := capability.NewPid(os.Getpid())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
|
||||
return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
|
||||
}
|
||||
|
||||
if kcfg == nil {
|
||||
cfg, err := UnsecuredKubeletConfig(s)
|
||||
if err != nil {
|
||||
|
Reference in New Issue
Block a user