scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a flag to reject privileged containers in the apiserver.

Browse Source
This commit is contained in:
Brendan Burns
2014-09-16 07:04:12 -07:00
parent c47dca5dbb
commit 5b9e2a55b5
7 changed files with 111 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/validation/validation.go
View File

@@ -21,6 +21,7 @@ import (
"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
errs "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
"github.com/GoogleCloudPlatform/kubernetes/pkg/capabilities"
"github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
)
@@ -226,12 +227,15 @@ func validateContainers(containers []api.Container, volumes util.StringSet) errs
for i := range containers {
cErrs := errs.ErrorList{}
ctr := &containers[i] // so we can set default values
capabilities := capabilities.GetCapabilities()
if len(ctr.Name) == 0 {
cErrs = append(cErrs, errs.NewFieldRequired("name", ctr.Name))
} else if !util.IsDNSLabel(ctr.Name) {
cErrs = append(cErrs, errs.NewFieldInvalid("name", ctr.Name))
} else if allNames.Has(ctr.Name) {
cErrs = append(cErrs, errs.NewFieldDuplicate("name", ctr.Name))
} else if ctr.Privileged && !capabilities.AllowPrivileged {
cErrs = append(cErrs, errs.NewFieldInvalid("privileged", ctr.Privileged))
} else {
allNames.Insert(ctr.Name)
}