rkt: Append `all-run` to `insecure-options` when the pod's all containers are privileged.

2016-08-23 12:16:30 -07:00 · 2016-08-23 12:16:30 -07:00 · 173dbd700b
parent d65a96a600
commit 173dbd700b
2 changed files with 81 additions and 5 deletions
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@ -70,8 +70,8 @@ const (
 	RktType                      = "rkt"
 	DefaultRktAPIServiceEndpoint = "localhost:15441"

-	minimumRktBinVersion     = "1.9.1"
-	recommendedRktBinVersion = "1.9.1"
+	minimumRktBinVersion     = "1.13.0"
+	recommendedRktBinVersion = "1.13.0"

 	minimumRktApiVersion  = "1.0.0-alpha"
 	minimumSystemdVersion = "219"
@ -967,7 +967,26 @@ func (r *Runtime) usesRktHostNetwork(pod *api.Pod) bool {

 // generateRunCommand crafts a 'rkt run-prepared' command with necessary parameters.
 func (r *Runtime) generateRunCommand(pod *api.Pod, uuid, netnsName string) (string, error) {
-	runPrepared := buildCommand(r.config, "run-prepared").Args
+	config := *r.config
+	privileged := true
+
+	for _, c := range pod.Spec.Containers {
+		ctx := securitycontext.DetermineEffectiveSecurityContext(pod, &c)
+		if ctx == nil || ctx.Privileged == nil || *ctx.Privileged == false {
+			privileged = false
+			break
+		}
+	}
+
+	// Use "all-run" insecure option (https://github.com/coreos/rkt/pull/2983) to take care
+	// of privileged pod.
+	// TODO(yifan): Have more granular app-level control of the insecure options.
+	// See: https://github.com/coreos/rkt/issues/2996.
+	if privileged {
+		config.InsecureOptions = fmt.Sprintf("%s,%s", config.InsecureOptions, "all-run")
+	}
+
+	runPrepared := buildCommand(&config, "run-prepared").Args

 	var hostname string
 	var err error
--- a/pkg/kubelet/rkt/rkt_test.go
+++ b/pkg/kubelet/rkt/rkt_test.go
@ -1156,6 +1156,9 @@ func TestSetApp(t *testing.T) {

 func TestGenerateRunCommand(t *testing.T) {
 	hostName := "test-hostname"
+	boolTrue := true
+	boolFalse := false
+
 	tests := []struct {
 		networkPlugin network.NetworkPlugin
 		pod           *api.Pod
@ -1176,7 +1179,9 @@ func TestGenerateRunCommand(t *testing.T) {
 				ObjectMeta: api.ObjectMeta{
 					Name: "pod-name-foo",
 				},
-				Spec: api.PodSpec{},
+				Spec: api.PodSpec{
+					Containers: []api.Container{{Name: "container-foo"}},
+				},
 			},
 			"rkt-uuid-foo",
 			"default",
@ -1193,6 +1198,9 @@ func TestGenerateRunCommand(t *testing.T) {
 				ObjectMeta: api.ObjectMeta{
 					Name: "pod-name-foo",
 				},
+				Spec: api.PodSpec{
+					Containers: []api.Container{{Name: "container-foo"}},
+				},
 			},
 			"rkt-uuid-foo",
 			"default",
@ -1213,6 +1221,7 @@ func TestGenerateRunCommand(t *testing.T) {
 					SecurityContext: &api.PodSecurityContext{
 						HostNetwork: true,
 					},
+					Containers: []api.Container{{Name: "container-foo"}},
 				},
 			},
 			"rkt-uuid-foo",
@ -1234,6 +1243,7 @@ func TestGenerateRunCommand(t *testing.T) {
 					SecurityContext: &api.PodSecurityContext{
 						HostNetwork: false,
 					},
+					Containers: []api.Container{{Name: "container-foo"}},
 				},
 			},
 			"rkt-uuid-foo",
@ -1255,6 +1265,7 @@ func TestGenerateRunCommand(t *testing.T) {
 					SecurityContext: &api.PodSecurityContext{
 						HostNetwork: true,
 					},
+					Containers: []api.Container{{Name: "container-foo"}},
 				},
 			},
 			"rkt-uuid-foo",
@ -1272,7 +1283,9 @@ func TestGenerateRunCommand(t *testing.T) {
 				ObjectMeta: api.ObjectMeta{
 					Name: "pod-name-foo",
 				},
-				Spec: api.PodSpec{},
+				Spec: api.PodSpec{
+					Containers: []api.Container{{Name: "container-foo"}},
+				},
 			},
 			"rkt-uuid-foo",
 			"default",
@ -1282,6 +1295,50 @@ func TestGenerateRunCommand(t *testing.T) {
 			nil,
 			"/bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=rkt.kubernetes.io --dns=127.0.0.1 --dns-search=. --dns-opt=ndots:5 --hostname=pod-hostname-foo rkt-uuid-foo",
 		},
+		// Case #6, if all containers are privileged, the result should have 'insecure-options=all-run'
+		{
+			kubenet.NewPlugin("/tmp"),
+			&api.Pod{
+				ObjectMeta: api.ObjectMeta{
+					Name: "pod-name-foo",
+				},
+				Spec: api.PodSpec{
+					Containers: []api.Container{
+						{Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
+						{Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
+					},
+				},
+			},
+			"rkt-uuid-foo",
+			"default",
+			[]string{},
+			[]string{},
+			"pod-hostname-foo",
+			nil,
+			"/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk,all-run --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo",
+		},
+		// Case #7, if not all containers are privileged, the result should not have 'insecure-options=all-run'
+		{
+			kubenet.NewPlugin("/tmp"),
+			&api.Pod{
+				ObjectMeta: api.ObjectMeta{
+					Name: "pod-name-foo",
+				},
+				Spec: api.PodSpec{
+					Containers: []api.Container{
+						{Name: "container-foo", SecurityContext: &api.SecurityContext{Privileged: &boolTrue}},
+						{Name: "container-bar", SecurityContext: &api.SecurityContext{Privileged: &boolFalse}},
+					},
+				},
+			},
+			"rkt-uuid-foo",
+			"default",
+			[]string{},
+			[]string{},
+			"pod-hostname-foo",
+			nil,
+			"/usr/bin/nsenter --net=/var/run/netns/default -- /bin/rkt/rkt --insecure-options=image,ondisk --local-config=/var/rkt/local/data --dir=/var/data run-prepared --net=host --hostname=pod-hostname-foo rkt-uuid-foo",
+		},
 	}

 	rkt := &Runtime{