Merge pull request #13100 from pweil-/cap-priv-sources

use privileged source object
2015-08-25 16:10:50 -07:00 · 2015-08-25 16:10:50 -07:00 · 3bc2157889
parent 6071942f98 709e654686
commit 3bc2157889
5 changed files with 31 additions and 11 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -294,7 +294,9 @@ func (s *APIServer) Run(_ []string) error {
 	capabilities.Initialize(capabilities.Capabilities{
 		AllowPrivileged: s.AllowPrivileged,
 		// TODO(vmarmol): Implement support for HostNetworkSources.
-		HostNetworkSources:                     []string{},
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{},
+		},
 		PerConnectionBandwidthLimitBytesPerSec: s.MaxConnectionBytesPerSec,
 	})

--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -642,7 +642,11 @@ func RunKubelet(kcfg *KubeletConfig, builder KubeletBuilder) error {
 	} else {
 		glog.Warning("No api server defined - no events will be sent to API server.")
 	}
-	capabilities.Setup(kcfg.AllowPrivileged, kcfg.HostNetworkSources, 0)
+
+	privilegedSources := capabilities.PrivilegedSources{
+		HostNetworkSources: kcfg.HostNetworkSources,
+	}
+	capabilities.Setup(kcfg.AllowPrivileged, privilegedSources, 0)

 	credentialprovider.SetPreferredDockercfgPath(kcfg.RootDirectory)

--- a/pkg/capabilities/capabilities.go
+++ b/pkg/capabilities/capabilities.go
@ -25,13 +25,21 @@ import (
 type Capabilities struct {
 	AllowPrivileged bool

-	// List of pod sources for which using host network is allowed.
-	HostNetworkSources []string
+	// Pod sources from which to allow privileged capabilities like host networking, sharing the host
+	// IPC namespace, and sharing the host PID namespace.
+	PrivilegedSources PrivilegedSources

 	// PerConnectionBandwidthLimitBytesPerSec limits the throughput of each connection (currently only used for proxy, exec, attach)
 	PerConnectionBandwidthLimitBytesPerSec int64
 }

+// PrivilegedSources defines the pod sources allowed to make privileged requests for certain types
+// of capabilities like host networking, sharing the host IPC namespace, and sharing the host PID namespace.
+type PrivilegedSources struct {
+	// List of pod sources for which using host network is allowed.
+	HostNetworkSources []string
+}
+
 // TODO: Clean these up into a singleton
 var once sync.Once
 var lock sync.Mutex
@ -46,10 +54,10 @@ func Initialize(c Capabilities) {
 }

 // Setup the capability set.  It wraps Initialize for improving usibility.
-func Setup(allowPrivileged bool, hostNetworkSources []string, perConnectionBytesPerSec int64) {
+func Setup(allowPrivileged bool, privilegedSources PrivilegedSources, perConnectionBytesPerSec int64) {
 	Initialize(Capabilities{
 		AllowPrivileged:                        allowPrivileged,
-		HostNetworkSources:                     hostNetworkSources,
+		PrivilegedSources:                      privilegedSources,
 		PerConnectionBandwidthLimitBytesPerSec: perConnectionBytesPerSec,
 	})
 }
@ -68,8 +76,10 @@ func Get() Capabilities {
 	// This check prevents clobbering of capabilities that might've been set via SetForTests
 	if capabilities == nil {
 		Initialize(Capabilities{
-			AllowPrivileged:    false,
-			HostNetworkSources: []string{},
+			AllowPrivileged: false,
+			PrivilegedSources: PrivilegedSources{
+				HostNetworkSources: []string{},
+			},
 		})
 	}
 	return *capabilities
--- a/pkg/kubelet/kubelet_test.go
+++ b/pkg/kubelet/kubelet_test.go
@ -2831,7 +2831,9 @@ func TestHostNetworkAllowed(t *testing.T) {
 	kubelet := testKubelet.kubelet

 	capabilities.SetForTests(capabilities.Capabilities{
-		HostNetworkSources: []string{ApiserverSource, FileSource},
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{ApiserverSource, FileSource},
+		},
 	})
 	pod := &api.Pod{
 		ObjectMeta: api.ObjectMeta{
@ -2861,7 +2863,9 @@ func TestHostNetworkDisallowed(t *testing.T) {
 	kubelet := testKubelet.kubelet

 	capabilities.SetForTests(capabilities.Capabilities{
-		HostNetworkSources: []string{},
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{},
+		},
 	})
 	pod := &api.Pod{
 		ObjectMeta: api.ObjectMeta{
--- a/pkg/kubelet/util.go
+++ b/pkg/kubelet/util.go
@ -66,7 +66,7 @@ func allowHostNetwork(pod *api.Pod) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	for _, source := range capabilities.Get().HostNetworkSources {
+	for _, source := range capabilities.Get().PrivilegedSources.HostNetworkSources {
 		if source == podSource {
 			return true, nil
 		}