forked from kubernetes/kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
util.go
110 lines (97 loc) · 2.97 KB
/
util.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/*
Copyright 2014 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubelet
import (
"fmt"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/capabilities"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/securitycontext"
)
// Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *api.Pod) error {
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork {
allowed, err := allowHostNetwork(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
}
}
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
allowed, err := allowHostPID(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host PID, but is disallowed", pod.UID)
}
}
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC {
allowed, err := allowHostIPC(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host ipc, but is disallowed", pod.UID)
}
}
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil
}
// Determined whether the specified pod is allowed to use host networking
func allowHostNetwork(pod *api.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostNetworkSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// Determined whether the specified pod is allowed to use host networking
func allowHostPID(pod *api.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostPIDSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// Determined whether the specified pod is allowed to use host ipc
func allowHostIPC(pod *api.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostIPCSources {
if source == podSource {
return true, nil
}
}
return false, nil
}