diff options
Diffstat (limited to 'libpod')
| -rw-r--r-- | libpod/container_inspect.go | 4 | ||||
| -rw-r--r-- | libpod/define/container_inspect.go | 4 | ||||
| -rw-r--r-- | libpod/kube.go | 20 |
3 files changed, 17 insertions, 11 deletions
diff --git a/libpod/container_inspect.go b/libpod/container_inspect.go index f50c7dbfe..efe09af92 100644 --- a/libpod/container_inspect.go +++ b/libpod/container_inspect.go @@ -871,8 +871,8 @@ func (c *Container) generateInspectContainerHostConfig(ctrSpec *spec.Spec, named for _, limit := range ctrSpec.Process.Rlimits { newLimit := define.InspectUlimit{} newLimit.Name = limit.Type - newLimit.Soft = limit.Soft - newLimit.Hard = limit.Hard + newLimit.Soft = int64(limit.Soft) + newLimit.Hard = int64(limit.Hard) hostConfig.Ulimits = append(hostConfig.Ulimits, newLimit) } } diff --git a/libpod/define/container_inspect.go b/libpod/define/container_inspect.go index 2cdd53cbc..0f355d20a 100644 --- a/libpod/define/container_inspect.go +++ b/libpod/define/container_inspect.go @@ -122,9 +122,9 @@ type InspectUlimit struct { // Name is the name (type) of the ulimit. Name string `json:"Name"` // Soft is the soft limit that will be applied. - Soft uint64 `json:"Soft"` + Soft int64 `json:"Soft"` // Hard is the hard limit that will be applied. - Hard uint64 `json:"Hard"` + Hard int64 `json:"Hard"` } // InspectDevice is a single device that will be mounted into the container. diff --git a/libpod/kube.go b/libpod/kube.go index f9ead027d..6cb7723c9 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS return kubeContainer, kubeVolumes, nil, err } - if len(c.config.Spec.Linux.Devices) > 0 { + // NOTE: a privileged container mounts all of /dev/*. + if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 { // TODO Enable when we can support devices and their names kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices) return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices") @@ -625,13 +626,18 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) { // generateKubeSecurityContext generates a securityContext based on the existing container func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { - priv := c.Privileged() + privileged := c.Privileged() ro := c.IsReadOnly() allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges - newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) - if err != nil { - return nil, err + var capabilities *v1.Capabilities + if !privileged { + // Running privileged adds all caps. + newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) + if err != nil { + return nil, err + } + capabilities = newCaps } var selinuxOpts v1.SELinuxOptions @@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) { } sc := v1.SecurityContext{ - Capabilities: newCaps, - Privileged: &priv, + Capabilities: capabilities, + Privileged: &privileged, SELinuxOptions: &selinuxOpts, // RunAsNonRoot is an optional parameter; our first implementations should be root only; however // I'm leaving this as a bread-crumb for later |