summaryrefslogtreecommitdiff
path: root/libpod/kube.go
diff options
context:
space:
mode:
authorValentin Rothberg <rothberg@redhat.com>2021-02-09 14:12:06 +0100
committerValentin Rothberg <rothberg@redhat.com>2021-02-09 17:40:35 +0100
commit48c612cf6671c918e8f11e836de8c6172bd73663 (patch)
tree1906c29e6fd41333170311b5af2c542ee0e16de0 /libpod/kube.go
parent9da4169e312bb822a0fbae8e18a0eb7c7eff6e64 (diff)
downloadpodman-48c612cf6671c918e8f11e836de8c6172bd73663.tar.gz
podman-48c612cf6671c918e8f11e836de8c6172bd73663.tar.bz2
podman-48c612cf6671c918e8f11e836de8c6172bd73663.zip
generate kube: support --privileged
Do not play with capabilities for privileged containers where all capabilities will be set implicitly. Also, avoid the device check when running privileged since all of /dev/* will be mounted in any case. Fixes: #8897 Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
Diffstat (limited to 'libpod/kube.go')
-rw-r--r--libpod/kube.go20
1 files changed, 13 insertions, 7 deletions
diff --git a/libpod/kube.go b/libpod/kube.go
index f9ead027d..6cb7723c9 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS
return kubeContainer, kubeVolumes, nil, err
}
- if len(c.config.Spec.Linux.Devices) > 0 {
+ // NOTE: a privileged container mounts all of /dev/*.
+ if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 {
// TODO Enable when we can support devices and their names
kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices)
return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices")
@@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {
// generateKubeSecurityContext generates a securityContext based on the existing container
func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
- priv := c.Privileged()
+ privileged := c.Privileged()
ro := c.IsReadOnly()
allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges
- newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
- if err != nil {
- return nil, err
+ var capabilities *v1.Capabilities
+ if !privileged {
+ // Running privileged adds all caps.
+ newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
+ if err != nil {
+ return nil, err
+ }
+ capabilities = newCaps
}
var selinuxOpts v1.SELinuxOptions
@@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
}
sc := v1.SecurityContext{
- Capabilities: newCaps,
- Privileged: &priv,
+ Capabilities: capabilities,
+ Privileged: &privileged,
SELinuxOptions: &selinuxOpts,
// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
// I'm leaving this as a bread-crumb for later