Google Git
Sign in
apache / cloudstack-kubernetes-provider / b13b4a31891ea31a105db83bf019224b9407aa9e / . / vendor / k8s.io / kubernetes / pkg / kubelet / util.go
blob: 3047c2fa619f9f1ebc086c5f7c43c1d3a1f82179 [file] [log] [blame]
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubelet
import (
"fmt"
"os"
"k8s.io/api/core/v1"
"k8s.io/kubernetes/pkg/capabilities"
kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
"k8s.io/kubernetes/pkg/securitycontext"
)
// Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *v1.Pod) error {
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
}
}
}
if pod.Spec.HostNetwork {
allowed, err := allowHostNetwork(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
}
}
if pod.Spec.HostPID {
allowed, err := allowHostPID(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host PID, but is disallowed", pod.UID)
}
}
if pod.Spec.HostIPC {
allowed, err := allowHostIPC(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host ipc, but is disallowed", pod.UID)
}
}
return nil
}
// Determined whether the specified pod is allowed to use host networking
func allowHostNetwork(pod *v1.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostNetworkSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// Determined whether the specified pod is allowed to use host PID
func allowHostPID(pod *v1.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostPIDSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// Determined whether the specified pod is allowed to use host ipc
func allowHostIPC(pod *v1.Pod) (bool, error) {
podSource, err := kubetypes.GetPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().PrivilegedSources.HostIPCSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// dirExists returns true if the path exists and represents a directory.
func dirExists(path string) bool {
s, err := os.Stat(path)
if err != nil {
return false
}
return s.IsDir()
}
// empty is a placeholder type used to implement a set
type empty struct{}