Merge pull request #13100 from pweil-/cap-priv-sources

use privileged source object

cmd/kube-apiserver/app/server.go

@@ -294,7 +294,9 @@ func (s *APIServer) Run(_ []string) error {
 	capabilities.Initialize(capabilities.Capabilities{
 		AllowPrivileged: s.AllowPrivileged,
 		// TODO(vmarmol): Implement support for HostNetworkSources.
+		PrivilegedSources: capabilities.PrivilegedSources{
 			HostNetworkSources: []string{},
+		},
 		PerConnectionBandwidthLimitBytesPerSec: s.MaxConnectionBytesPerSec,
 	})
 

cmd/kubelet/app/server.go

@@ -642,7 +642,11 @@ func RunKubelet(kcfg *KubeletConfig, builder KubeletBuilder) error {
 	} else {
 		glog.Warning("No api server defined - no events will be sent to API server.")
 	}
-	capabilities.Setup(kcfg.AllowPrivileged, kcfg.HostNetworkSources, 0)
+
+	privilegedSources := capabilities.PrivilegedSources{
+		HostNetworkSources: kcfg.HostNetworkSources,
+	}
+	capabilities.Setup(kcfg.AllowPrivileged, privilegedSources, 0)
 
 	credentialprovider.SetPreferredDockercfgPath(kcfg.RootDirectory)
 

pkg/capabilities/capabilities.go

@@ -25,13 +25,21 @@ import (
 type Capabilities struct {
 	AllowPrivileged bool
 
-	// List of pod sources for which using host network is allowed.
-	HostNetworkSources []string
+	// Pod sources from which to allow privileged capabilities like host networking, sharing the host
+	// IPC namespace, and sharing the host PID namespace.
+	PrivilegedSources PrivilegedSources
 
 	// PerConnectionBandwidthLimitBytesPerSec limits the throughput of each connection (currently only used for proxy, exec, attach)
 	PerConnectionBandwidthLimitBytesPerSec int64
 }
 
+// PrivilegedSources defines the pod sources allowed to make privileged requests for certain types
+// of capabilities like host networking, sharing the host IPC namespace, and sharing the host PID namespace.
+type PrivilegedSources struct {
+	// List of pod sources for which using host network is allowed.
+	HostNetworkSources []string
+}
+
 // TODO: Clean these up into a singleton
 var once sync.Once
 var lock sync.Mutex
@@ -46,10 +54,10 @@ func Initialize(c Capabilities) {
 }
 
 // Setup the capability set.  It wraps Initialize for improving usibility.
-func Setup(allowPrivileged bool, hostNetworkSources []string, perConnectionBytesPerSec int64) {
+func Setup(allowPrivileged bool, privilegedSources PrivilegedSources, perConnectionBytesPerSec int64) {
 	Initialize(Capabilities{
 		AllowPrivileged:                        allowPrivileged,
-		HostNetworkSources:                     hostNetworkSources,
+		PrivilegedSources:                      privilegedSources,
 		PerConnectionBandwidthLimitBytesPerSec: perConnectionBytesPerSec,
 	})
 }
@@ -69,7 +77,9 @@ func Get() Capabilities {
 	if capabilities == nil {
 		Initialize(Capabilities{
 			AllowPrivileged: false,
+			PrivilegedSources: PrivilegedSources{
 				HostNetworkSources: []string{},
+			},
 		})
 	}
 	return *capabilities

pkg/kubelet/kubelet_test.go

@@ -2831,7 +2831,9 @@ func TestHostNetworkAllowed(t *testing.T) {
 	kubelet := testKubelet.kubelet
 
 	capabilities.SetForTests(capabilities.Capabilities{
+		PrivilegedSources: capabilities.PrivilegedSources{
 			HostNetworkSources: []string{ApiserverSource, FileSource},
+		},
 	})
 	pod := &api.Pod{
 		ObjectMeta: api.ObjectMeta{
@@ -2861,7 +2863,9 @@ func TestHostNetworkDisallowed(t *testing.T) {
 	kubelet := testKubelet.kubelet
 
 	capabilities.SetForTests(capabilities.Capabilities{
+		PrivilegedSources: capabilities.PrivilegedSources{
 			HostNetworkSources: []string{},
+		},
 	})
 	pod := &api.Pod{
 		ObjectMeta: api.ObjectMeta{

pkg/kubelet/util.go

@@ -66,7 +66,7 @@ func allowHostNetwork(pod *api.Pod) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	for _, source := range capabilities.Get().HostNetworkSources {
+	for _, source := range capabilities.Get().PrivilegedSources.HostNetworkSources {
 		if source == podSource {
 			return true, nil
 		}