Check Pod privileged container

2025-11-03 19:58:17 +00:00 · 2015-05-09 17:17:36 -04:00
parent 738f403eea
commit 2f7183cba5
4 changed files with 65 additions and 13 deletions
--- a/pkg/kubelet/dockertools/manager.go
+++ b/pkg/kubelet/dockertools/manager.go
@@ -30,7 +30,6 @@ import (
 	"sync"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
-	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
 	kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/lifecycle"
@@ -542,10 +541,6 @@ func (dm *DockerManager) runContainer(pod *api.Pod, container *api.Container, op
 		}
 	}

-	if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(container) {
-		return "", fmt.Errorf("container requested privileged mode, but it is disallowed globally.")
-	}
-
 	hc := &docker.HostConfig{
 		PortBindings: portBindings,
 		Binds:        opts.Binds,
--- a/pkg/kubelet/kubelet_test.go
+++ b/pkg/kubelet/kubelet_test.go
@@ -3754,6 +3754,59 @@ func TestHostNetworkDisallowed(t *testing.T) {
 	}
 }

+func TestPrivilegeContainerAllowed(t *testing.T) {
+	testKubelet := newTestKubelet(t)
+	kubelet := testKubelet.kubelet
+
+	capabilities.SetForTests(capabilities.Capabilities{
+		AllowPrivileged: true,
+	})
+	privileged := true
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{
+			UID:       "12345678",
+			Name:      "foo",
+			Namespace: "new",
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}},
+			},
+		},
+	}
+	kubelet.podManager.SetPods([]*api.Pod{pod})
+	err := kubelet.syncPod(pod, nil, container.Pod{})
+	if err != nil {
+		t.Errorf("expected pod infra creation to succeed: %v", err)
+	}
+}
+
+func TestPrivilegeContainerDisallowed(t *testing.T) {
+	testKubelet := newTestKubelet(t)
+	kubelet := testKubelet.kubelet
+
+	capabilities.SetForTests(capabilities.Capabilities{
+		AllowPrivileged: false,
+	})
+	privileged := true
+	pod := &api.Pod{
+		ObjectMeta: api.ObjectMeta{
+			UID:       "12345678",
+			Name:      "foo",
+			Namespace: "new",
+		},
+		Spec: api.PodSpec{
+			Containers: []api.Container{
+				{Name: "foo", SecurityContext: &api.SecurityContext{Privileged: &privileged}},
+			},
+		},
+	}
+	err := kubelet.syncPod(pod, nil, container.Pod{})
+	if err == nil {
+		t.Errorf("expected pod infra creation to fail")
+	}
+}
+
 func TestSyncPodsWithRestartPolicy(t *testing.T) {
 	testKubelet := newTestKubelet(t)
 	testKubelet.fakeCadvisor.On("MachineInfo").Return(&cadvisorApi.MachineInfo{}, nil)
--- a/pkg/kubelet/rkt/rkt.go
+++ b/pkg/kubelet/rkt/rkt.go
@@ -31,7 +31,6 @@ import (
 	"time"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
-	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/record"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/credentialprovider"
 	kubecontainer "github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet/container"
@@ -213,13 +212,10 @@ func setIsolators(app *appctypes.App, c *api.Container) error {

 	// Retained capabilities/privileged.
 	privileged := false
-	if !capabilities.Get().AllowPrivileged && securitycontext.HasPrivilegedRequest(c) {
-		return fmt.Errorf("container requested privileged mode, but it is disallowed globally.")
-	} else {
-		if c.SecurityContext != nil && c.SecurityContext.Privileged != nil {
-			privileged = *c.SecurityContext.Privileged
-		}
+	if c.SecurityContext != nil && c.SecurityContext.Privileged != nil {
+		privileged = *c.SecurityContext.Privileged
 	}
+
 	var addCaps string
 	if privileged {
 		addCaps = getAllCapabilities()
--- a/pkg/kubelet/util.go
+++ b/pkg/kubelet/util.go
@@ -22,6 +22,7 @@ import (
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/resource"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/securitycontext"
 	cadvisorApi "github.com/google/cadvisor/info/v1"
 )

@@ -48,7 +49,14 @@ func canRunPod(pod *api.Pod) error {
 			return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
 		}
 	}
-	// TODO(vmarmol): Check Privileged too.
+
+	if !capabilities.Get().AllowPrivileged {
+		for _, container := range pod.Spec.Containers {
+			if securitycontext.HasPrivilegedRequest(&container) {
+				return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
+			}
+		}
+	}
 	return nil
 }