kuberuntime: set privileged for sandboxes

pkg/kubelet/container/helpers.go

@@ -261,3 +261,15 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {
 	}
 	return nil
 }
+
+// HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
+func HasPrivilegedContainer(pod *v1.Pod) bool {
+	for _, c := range pod.Spec.Containers {
+		if c.SecurityContext != nil &&
+			c.SecurityContext.Privileged != nil &&
+			*c.SecurityContext.Privileged {
+			return true
+		}
+	}
+	return false
+}

pkg/kubelet/container/helpers_test.go

@@ -211,3 +211,44 @@ func TestShouldContainerBeRestarted(t *testing.T) {
 		}
 	}
 }
+
+func TestHasPrivilegedContainer(t *testing.T) {
+	newBoolPtr := func(b bool) *bool {
+		return &b
+	}
+	tests := map[string]struct {
+		securityContext *v1.SecurityContext
+		expected        bool
+	}{
+		"nil security context": {
+			securityContext: nil,
+			expected:        false,
+		},
+		"nil privileged": {
+			securityContext: &v1.SecurityContext{},
+			expected:        false,
+		},
+		"false privileged": {
+			securityContext: &v1.SecurityContext{Privileged: newBoolPtr(false)},
+			expected:        false,
+		},
+		"true privileged": {
+			securityContext: &v1.SecurityContext{Privileged: newBoolPtr(true)},
+			expected:        true,
+		},
+	}
+
+	for k, v := range tests {
+		pod := &v1.Pod{
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{SecurityContext: v.securityContext},
+				},
+			},
+		}
+		actual := HasPrivilegedContainer(pod)
+		if actual != v.expected {
+			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
+		}
+	}
+}

pkg/kubelet/kubelet_pods.go

@@ -1441,25 +1441,13 @@ func (kl *Kubelet) cleanupOrphanedPodCgroups(
 // or it will not have the correct capabilities in the namespace.  This means that host user namespace
 // is enabled per pod, not per container.
 func (kl *Kubelet) enableHostUserNamespace(pod *v1.Pod) bool {
-	if hasPrivilegedContainer(pod) || hasHostNamespace(pod) ||
+	if kubecontainer.HasPrivilegedContainer(pod) || hasHostNamespace(pod) ||
 		hasHostVolume(pod) || hasNonNamespacedCapability(pod) || kl.hasHostMountPVC(pod) {
 		return true
 	}
 	return false
 }
 
-// hasPrivilegedContainer returns true if any of the containers in the pod are privileged.
-func hasPrivilegedContainer(pod *v1.Pod) bool {
-	for _, c := range pod.Spec.Containers {
-		if c.SecurityContext != nil &&
-			c.SecurityContext.Privileged != nil &&
-			*c.SecurityContext.Privileged {
-			return true
-		}
-	}
-	return false
-}
-
 // hasNonNamespacedCapability returns true if MKNOD, SYS_TIME, or SYS_MODULE is requested for any container.
 func hasNonNamespacedCapability(pod *v1.Pod) bool {
 	for _, c := range pod.Spec.Containers {

pkg/kubelet/kubelet_pods_test.go

@@ -1266,47 +1266,6 @@ func TestMakeDevices(t *testing.T) {
 	}
 }
 
-func TestHasPrivilegedContainer(t *testing.T) {
-	newBoolPtr := func(b bool) *bool {
-		return &b
-	}
-	tests := map[string]struct {
-		securityContext *v1.SecurityContext
-		expected        bool
-	}{
-		"nil sc": {
-			securityContext: nil,
-			expected:        false,
-		},
-		"nil privleged": {
-			securityContext: &v1.SecurityContext{},
-			expected:        false,
-		},
-		"false privleged": {
-			securityContext: &v1.SecurityContext{Privileged: newBoolPtr(false)},
-			expected:        false,
-		},
-		"true privleged": {
-			securityContext: &v1.SecurityContext{Privileged: newBoolPtr(true)},
-			expected:        true,
-		},
-	}
-
-	for k, v := range tests {
-		pod := &v1.Pod{
-			Spec: v1.PodSpec{
-				Containers: []v1.Container{
-					{SecurityContext: v.securityContext},
-				},
-			},
-		}
-		actual := hasPrivilegedContainer(pod)
-		if actual != v.expected {
-			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
-		}
-	}
-}
-
 func TestHasHostMountPVC(t *testing.T) {
 	tests := map[string]struct {
 		pvError       error

pkg/kubelet/kuberuntime/kuberuntime_sandbox.go

@@ -130,23 +130,21 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxConfig(pod *v1.Pod, attemp
 
 // generatePodSandboxLinuxConfig generates LinuxPodSandboxConfig from v1.Pod.
 func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, cgroupParent string) *runtimeapi.LinuxPodSandboxConfig {
-	if pod.Spec.SecurityContext == nil && cgroupParent == "" {
+	lc := &runtimeapi.LinuxPodSandboxConfig{
-		return nil
+		SecurityContext: &runtimeapi.LinuxSandboxSecurityContext{},
 	}
 
-	lc := &runtimeapi.LinuxPodSandboxConfig{}
 	if cgroupParent != "" {
 		lc.CgroupParent = &cgroupParent
 	}
+
 	if pod.Spec.SecurityContext != nil {
 		sc := pod.Spec.SecurityContext
-		lc.SecurityContext = &runtimeapi.LinuxSandboxSecurityContext{
+		lc.SecurityContext.RunAsUser = sc.RunAsUser
-			NamespaceOptions: &runtimeapi.NamespaceOption{
+		lc.SecurityContext.NamespaceOptions = &runtimeapi.NamespaceOption{
 			HostNetwork: &pod.Spec.HostNetwork,
 			HostIpc:     &pod.Spec.HostIPC,
 			HostPid:     &pod.Spec.HostPID,
-			},
-			RunAsUser: sc.RunAsUser,
 		}
 
 		if sc.FSGroup != nil {
@@ -168,6 +166,11 @@ func (m *kubeGenericRuntimeManager) generatePodSandboxLinuxConfig(pod *v1.Pod, c
 		}
 	}
 
+	if kubecontainer.HasPrivilegedContainer(pod) {
+		privileged := true
+		lc.SecurityContext.Privileged = &privileged
+	}
+
 	return lc
 }