Refactor CreateContainer.

pkg/securitycontext/fake.go

@@ -19,7 +19,7 @@ package securitycontext
 import (
 	"k8s.io/kubernetes/pkg/api"
 
-	docker "github.com/fsouza/go-dockerclient"
+	dockercontainer "github.com/docker/engine-api/types/container"
 )
 
 // ValidSecurityContextWithContainerDefaults creates a valid security context provider based on
@@ -39,7 +39,7 @@ func NewFakeSecurityContextProvider() SecurityContextProvider {
 
 type FakeSecurityContextProvider struct{}
 
-func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) {
+func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config) {
 }
-func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
+func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig) {
 }

pkg/securitycontext/provider.go

@@ -23,7 +23,7 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/kubelet/leaky"
 
-	docker "github.com/fsouza/go-dockerclient"
+	dockercontainer "github.com/docker/engine-api/types/container"
 )
 
 // NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
@@ -37,7 +37,7 @@ type SimpleSecurityContextProvider struct{}
 // ModifyContainerConfig is called before the Docker createContainer call.
 // The security context provider can make changes to the Config with which
 // the container is created.
-func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) {
+func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config) {
 	effectiveSC := DetermineEffectiveSecurityContext(pod, container)
 	if effectiveSC == nil {
 		return
@@ -50,7 +50,7 @@ func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, conta
 // ModifyHostConfig is called before the Docker runContainer call.
 // The security context provider can make changes to the HostConfig, affecting
 // security options, whether the container is privileged, volume binds, etc.
-func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) {
+func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig) {
 	// Apply pod security context
 	if container.Name != leaky.PodInfraContainerName && pod.Spec.SecurityContext != nil {
 		// TODO: We skip application of supplemental groups to the

pkg/securitycontext/provider_test.go

@@ -22,7 +22,7 @@ import (
 	"strconv"
 	"testing"
 
-	docker "github.com/fsouza/go-dockerclient"
+	dockercontainer "github.com/docker/engine-api/types/container"
 	"k8s.io/kubernetes/pkg/api"
 	apitesting "k8s.io/kubernetes/pkg/api/testing"
 )
@@ -35,28 +35,28 @@ func TestModifyContainerConfig(t *testing.T) {
 		name     string
 		podSc    *api.PodSecurityContext
 		sc       *api.SecurityContext
-		expected *docker.Config
+		expected *dockercontainer.Config
 	}{
 		{
 			name: "container.SecurityContext.RunAsUser set",
 			sc: &api.SecurityContext{
 				RunAsUser: &uid,
 			},
-			expected: &docker.Config{
+			expected: &dockercontainer.Config{
 				User: strconv.FormatInt(uid, 10),
 			},
 		},
 		{
 			name:     "no RunAsUser value set",
 			sc:       &api.SecurityContext{},
-			expected: &docker.Config{},
+			expected: &dockercontainer.Config{},
 		},
 		{
 			name: "pod.Spec.SecurityContext.RunAsUser set",
 			podSc: &api.PodSecurityContext{
 				RunAsUser: &uid,
 			},
-			expected: &docker.Config{
+			expected: &dockercontainer.Config{
 				User: strconv.FormatInt(uid, 10),
 			},
 		},
@@ -68,7 +68,7 @@ func TestModifyContainerConfig(t *testing.T) {
 			sc: &api.SecurityContext{
 				RunAsUser: &overrideUid,
 			},
-			expected: &docker.Config{
+			expected: &dockercontainer.Config{
 				User: strconv.FormatInt(overrideUid, 10),
 			},
 		},
@@ -79,7 +79,7 @@ func TestModifyContainerConfig(t *testing.T) {
 	for _, tc := range cases {
 		pod := &api.Pod{Spec: api.PodSpec{SecurityContext: tc.podSc}}
 		dummyContainer.SecurityContext = tc.sc
-		dockerCfg := &docker.Config{}
+		dockerCfg := &dockercontainer.Config{}
 
 		provider.ModifyContainerConfig(pod, dummyContainer, dockerCfg)
 
@@ -93,16 +93,16 @@ func TestModifyHostConfig(t *testing.T) {
 	priv := true
 	setPrivSC := &api.SecurityContext{}
 	setPrivSC.Privileged = &priv
-	setPrivHC := &docker.HostConfig{
+	setPrivHC := &dockercontainer.HostConfig{
 		Privileged: true,
 	}
 
-	setCapsHC := &docker.HostConfig{
+	setCapsHC := &dockercontainer.HostConfig{
 		CapAdd:  []string{"addCapA", "addCapB"},
 		CapDrop: []string{"dropCapA", "dropCapB"},
 	}
 
-	setSELinuxHC := &docker.HostConfig{}
+	setSELinuxHC := &dockercontainer.HostConfig{}
 	setSELinuxHC.SecurityOpt = []string{
 		fmt.Sprintf("%s:%s", dockerLabelUser, "user"),
 		fmt.Sprintf("%s:%s", dockerLabelRole, "role"),
@@ -117,7 +117,7 @@ func TestModifyHostConfig(t *testing.T) {
 		name     string
 		podSc    *api.PodSecurityContext
 		sc       *api.SecurityContext
-		expected *docker.HostConfig
+		expected *dockercontainer.HostConfig
 	}{
 		{
 			name:     "fully set container.SecurityContext",
@@ -164,7 +164,7 @@ func TestModifyHostConfig(t *testing.T) {
 	for _, tc := range cases {
 		pod := &api.Pod{Spec: api.PodSpec{SecurityContext: tc.podSc}}
 		dummyContainer.SecurityContext = tc.sc
-		dockerCfg := &docker.HostConfig{}
+		dockerCfg := &dockercontainer.HostConfig{}
 
 		provider.ModifyHostConfig(pod, dummyContainer, dockerCfg)
 
@@ -187,7 +187,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
 
 	testCases := map[string]struct {
 		securityContext *api.PodSecurityContext
-		expected        *docker.HostConfig
+		expected        *dockercontainer.HostConfig
 	}{
 		"nil": {
 			securityContext: nil,
@@ -219,7 +219,7 @@ func TestModifyHostConfigPodSecurityContext(t *testing.T) {
 
 	for k, v := range testCases {
 		dummyPod.Spec.SecurityContext = v.securityContext
-		dockerCfg := &docker.HostConfig{}
+		dockerCfg := &dockercontainer.HostConfig{}
 		provider.ModifyHostConfig(dummyPod, dummyContainer, dockerCfg)
 		if !reflect.DeepEqual(v.expected, dockerCfg) {
 			t.Errorf("unexpected modification of host config for %s.  Expected: %#v Got: %#v", k, v.expected, dockerCfg)
@@ -301,8 +301,8 @@ func inputSELinuxOptions() *api.SELinuxOptions {
 	}
 }
 
-func fullValidHostConfig() *docker.HostConfig {
-	return &docker.HostConfig{
+func fullValidHostConfig() *dockercontainer.HostConfig {
+	return &dockercontainer.HostConfig{
 		Privileged: true,
 		CapAdd:     []string{"addCapA", "addCapB"},
 		CapDrop:    []string{"dropCapA", "dropCapB"},

pkg/securitycontext/types.go

@@ -19,21 +19,21 @@ package securitycontext
 import (
 	"k8s.io/kubernetes/pkg/api"
 
-	docker "github.com/fsouza/go-dockerclient"
+	dockercontainer "github.com/docker/engine-api/types/container"
 )
 
 type SecurityContextProvider interface {
 	// ModifyContainerConfig is called before the Docker createContainer call.
 	// The security context provider can make changes to the Config with which
 	// the container is created.
-	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)
+	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
 
 	// ModifyHostConfig is called before the Docker createContainer call.
 	// The security context provider can make changes to the HostConfig, affecting
 	// security options, whether the container is privileged, volume binds, etc.
 	// An error is returned if it's not possible to secure the container as requested
 	// with a security context.
-	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
+	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig)
 }
 
 const (