github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add a global flag to enable/disable privileged containers

pull/6/head
Brendan Burns 2014-09-11 16:34:24 -07:00
parent 3a3fab3f82
commit 46d0cbd645
2 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kubelet/kubelet.go
View File

@ -58,6 +58,7 @@ var (
dockerEndpoint = flag.String("docker_endpoint", "", "If non-empty, use this for the docker endpoint to communicate with") dockerEndpoint = flag.String("docker_endpoint", "", "If non-empty, use this for the docker endpoint to communicate with")
etcdServerList util.StringList etcdServerList util.StringList
rootDirectory = flag.String("root_dir", defaultRootDir, "Directory path for managing kubelet files (volume mounts,etc).") rootDirectory = flag.String("root_dir", defaultRootDir, "Directory path for managing kubelet files (volume mounts,etc).")
allowPrivileged = flag.Bool("allow_privileged", false, "If true, allow containers to request privileged mode.")
) )
func init() { func init() {
@ -150,7 +151,8 @@ func main() {
cadvisorClient, cadvisorClient,
etcdClient, etcdClient,
*rootDirectory, *rootDirectory,
*syncFrequency) *syncFrequency,
*allowPrivileged)
health.AddHealthChecker("exec", health.NewExecHealthChecker(k)) health.AddHealthChecker("exec", health.NewExecHealthChecker(k))
health.AddHealthChecker("http", health.NewHTTPHealthChecker(&http.Client{})) health.AddHealthChecker("http", health.NewHTTPHealthChecker(&http.Client{}))

32
pkg/kubelet/kubelet.go
View File

@ -67,17 +67,19 @@ func NewMainKubelet(
cc CadvisorInterface, cc CadvisorInterface,
ec tools.EtcdClient, ec tools.EtcdClient,
rd string, rd string,
ri time.Duration) *Kubelet { ri time.Duration,
privileged bool) *Kubelet {
return &Kubelet{ return &Kubelet{
hostname: hn, hostname: hn,
dockerClient: dc, dockerClient: dc,
cadvisorClient: cc, cadvisorClient: cc,
etcdClient: ec, etcdClient: ec,
rootDirectory: rd, rootDirectory: rd,
resyncInterval: ri, resyncInterval: ri,
podWorkers: newPodWorkers(), podWorkers: newPodWorkers(),
runner: dockertools.NewDockerContainerCommandRunner(), runner: dockertools.NewDockerContainerCommandRunner(),
httpClient: &http.Client{}, httpClient: &http.Client{},
allowPrivileged: privileged,
} }
} }
@ -119,6 +121,8 @@ type Kubelet struct {
runner dockertools.ContainerCommandRunner runner dockertools.ContainerCommandRunner
// Optional, client for http requests, defaults to empty client // Optional, client for http requests, defaults to empty client
httpClient httpGetInterface httpClient httpGetInterface
// Optional, allow privileged containers, defaults to false
allowPrivileged bool
} }
// Run starts the kubelet reacting to config updates // Run starts the kubelet reacting to config updates
@ -335,11 +339,17 @@ func (kl *Kubelet) runContainer(pod *Pod, container *api.Container, podVolumes v
if err != nil { if err != nil {
return "", err return "", err
} }
privileged := false
if kl.allowPrivileged {
privileged = container.Privileged
} else if container.Privileged {
return "", fmt.Errorf("Container requested privileged mode, but it is disallowed globally.")
}
err = kl.dockerClient.StartContainer(dockerContainer.ID, &docker.HostConfig{ err = kl.dockerClient.StartContainer(dockerContainer.ID, &docker.HostConfig{
PortBindings: portBindings, PortBindings: portBindings,
Binds: binds, Binds: binds,
NetworkMode: netMode, NetworkMode: netMode,
Privileged: container.Privileged, Privileged: privileged,
}) })
if err == nil && container.Lifecycle != nil && container.Lifecycle.PostStart != nil { if err == nil && container.Lifecycle != nil && container.Lifecycle.PostStart != nil {
handlerErr := kl.runHandler(GetPodFullName(pod), pod.Manifest.UUID, container, container.Lifecycle.PostStart) handlerErr := kl.runHandler(GetPodFullName(pod), pod.Manifest.UUID, container, container.Lifecycle.PostStart)