From 46d0cbd645d919d243139d50ded13fa8fb2d8fcf Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@google.com>
Date: Thu, 11 Sep 2014 16:34:24 -0700
Subject: [PATCH] Add a global flag to enable/disable privileged containers

---
 cmd/kubelet/kubelet.go |  4 +++-
 pkg/kubelet/kubelet.go | 32 +++++++++++++++++++++-----------
 2 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/cmd/kubelet/kubelet.go b/cmd/kubelet/kubelet.go
index 21052332c8..f072b5583a 100644
--- a/cmd/kubelet/kubelet.go
+++ b/cmd/kubelet/kubelet.go
@@ -58,6 +58,7 @@ var (
 	dockerEndpoint     = flag.String("docker_endpoint", "", "If non-empty, use this for the docker endpoint to communicate with")
 	etcdServerList     util.StringList
 	rootDirectory      = flag.String("root_dir", defaultRootDir, "Directory path for managing kubelet files (volume mounts,etc).")
+	allowPrivileged    = flag.Bool("allow_privileged", false, "If true, allow containers to request privileged mode.")
 )
 
 func init() {
@@ -150,7 +151,8 @@ func main() {
 		cadvisorClient,
 		etcdClient,
 		*rootDirectory,
-		*syncFrequency)
+		*syncFrequency,
+		*allowPrivileged)
 
 	health.AddHealthChecker("exec", health.NewExecHealthChecker(k))
 	health.AddHealthChecker("http", health.NewHTTPHealthChecker(&http.Client{}))
diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go
index 22845dba26..ee0edd6c2e 100644
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@@ -67,17 +67,19 @@ func NewMainKubelet(
 	cc CadvisorInterface,
 	ec tools.EtcdClient,
 	rd string,
-	ri time.Duration) *Kubelet {
+	ri time.Duration,
+	privileged bool) *Kubelet {
 	return &Kubelet{
-		hostname:       hn,
-		dockerClient:   dc,
-		cadvisorClient: cc,
-		etcdClient:     ec,
-		rootDirectory:  rd,
-		resyncInterval: ri,
-		podWorkers:     newPodWorkers(),
-		runner:         dockertools.NewDockerContainerCommandRunner(),
-		httpClient:     &http.Client{},
+		hostname:        hn,
+		dockerClient:    dc,
+		cadvisorClient:  cc,
+		etcdClient:      ec,
+		rootDirectory:   rd,
+		resyncInterval:  ri,
+		podWorkers:      newPodWorkers(),
+		runner:          dockertools.NewDockerContainerCommandRunner(),
+		httpClient:      &http.Client{},
+		allowPrivileged: privileged,
 	}
 }
 
@@ -119,6 +121,8 @@ type Kubelet struct {
 	runner dockertools.ContainerCommandRunner
 	// Optional, client for http requests, defaults to empty client
 	httpClient httpGetInterface
+	// Optional, allow privileged containers, defaults to false
+	allowPrivileged bool
 }
 
 // Run starts the kubelet reacting to config updates
@@ -335,11 +339,17 @@ func (kl *Kubelet) runContainer(pod *Pod, container *api.Container, podVolumes v
 	if err != nil {
 		return "", err
 	}
+	privileged := false
+	if kl.allowPrivileged {
+		privileged = container.Privileged
+	} else if container.Privileged {
+		return "", fmt.Errorf("Container requested privileged mode, but it is disallowed globally.")
+	}
 	err = kl.dockerClient.StartContainer(dockerContainer.ID, &docker.HostConfig{
 		PortBindings: portBindings,
 		Binds:        binds,
 		NetworkMode:  netMode,
-		Privileged:   container.Privileged,
+		Privileged:   privileged,
 	})
 	if err == nil && container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
 		handlerErr := kl.runHandler(GetPodFullName(pod), pod.Manifest.UUID, container, container.Lifecycle.PostStart)