Check for CAP_SYS_ADMIN in Kubelet

The Kubelet process must have CAP_SYS_ADMIN, which implies that the kubelet process must be either running as root or in a privileged container. Make this check early in the startup sequence and bail out if necessary. Related to #26093
2016-08-05 20:08:58 -04:00 · 2016-08-05 20:08:58 -04:00 · 2616fc9cf5
parent 15ad9be67f
commit 2616fc9cf5
2 changed files with 13 additions and 0 deletions
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -26,6 +26,7 @@ import (
 	"net"
 	"net/http"
 	_ "net/http/pprof"
+	"os"
 	"path"
 	"strconv"
 	"strings"
@ -34,6 +35,7 @@ import (
 	"github.com/golang/glog"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"github.com/syndtr/gocapability/capability"

 	"k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/api"
@ -321,6 +323,16 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
 	} else {
 		glog.Errorf("unable to register configz: %s", err)
 	}
+
+	// check if we have CAP_SYS_ADMIN to setgroup properly
+	pid, err := capability.NewPid(os.Getpid())
+	if err != nil {
+		return err
+	}
+	if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
+		return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
+	}
+
 	if kcfg == nil {
 		cfg, err := UnsecuredKubeletConfig(s)
 		if err != nil {
--- a/hack/jenkins/gotest-dockerized.sh
+++ b/hack/jenkins/gotest-dockerized.sh
@ -36,6 +36,7 @@ mkdir -p "${HOST_ARTIFACTS_DIR}"
 # provided must be resolvable on the *HOST*, not the container.

 docker run --rm=true \
+  --privileged=true \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v "${REPO_DIR}":/go/src/k8s.io/kubernetes \
  -v "${WORKSPACE}/_artifacts":/workspace/artifacts \