Commit 59b1f4a1 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #39473 from php-coder/improve_err_msg_about_privileged

Automatic merge from submit-queue (batch tested with PRs 39394, 38270, 39473, 39516, 36243) Improve an error message when privileged containers are disallowed on the cluster **What this PR does / why we need it**: At present when user creates privileged pod and creation of privileged containers disallowed globally by a system administrator (kubelet and api-server were running with `--allow-privileged=false`), user will get the following error message: ```console $ kubectl create -f nginx.pod The Pod "nginx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: disallowed by policy ``` "Disallowed by policy" may give a wrong assumption to a user that creation of privileged containers disallowed by [`PodSecurityPolicy`](http://kubernetes.io/docs/user-guide/pod-security-policy/) while it's not. This commit improves error message and tries to point user to the right direction: ```console $ kubectl create -f nginx.pod The Pod "nginx" is invalid: spec.containers[0].securityContext.privileged: Forbidden: privileged containers are disallowed on this cluster by a system administrator ``` **Release note**: ```release-note NONE ``` PTAL @pweil-
parents 125bf9c1 7e4b0477
......@@ -3504,7 +3504,7 @@ func ValidateSecurityContext(sc *api.SecurityContext, fldPath *field.Path) field
if sc.Privileged != nil {
if *sc.Privileged && !capabilities.Get().AllowPrivileged {
allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by policy"))
allErrs = append(allErrs, field.Forbidden(fldPath.Child("privileged"), "disallowed by cluster policy"))
}
}
......
......@@ -8155,7 +8155,7 @@ func TestValidateSecurityContext(t *testing.T) {
"request privileged when capabilities forbids": {
sc: privRequestWithGlobalDeny,
errorType: "FieldValueForbidden",
errorDetail: "disallowed by policy",
errorDetail: "disallowed by cluster policy",
},
"negative RunAsUser": {
sc: negativeRunAsUser,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment