Commit d744fd41 authored by k8s-merge-robot's avatar k8s-merge-robot Committed by GitHub

Merge pull request #27598 from xiangpengzhao/optimize_canRunPod

Automatic merge from submit-queue Refactor func canRunPod After refactoring, we only need to check `if pod.Spec.SecurityContext == nil` once. The logic is a bit clearer.
parents 700fbd05 28286d68
...@@ -27,7 +27,24 @@ import ( ...@@ -27,7 +27,24 @@ import (
// Check whether we have the capabilities to run the specified pod. // Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *api.Pod) error { func canRunPod(pod *api.Pod) error {
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork { if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged init container, but is disallowed", pod.UID)
}
}
}
if pod.Spec.SecurityContext == nil {
return nil
}
if pod.Spec.SecurityContext.HostNetwork {
allowed, err := allowHostNetwork(pod) allowed, err := allowHostNetwork(pod)
if err != nil { if err != nil {
return err return err
...@@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error { ...@@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID { if pod.Spec.SecurityContext.HostPID {
allowed, err := allowHostPID(pod) allowed, err := allowHostPID(pod)
if err != nil { if err != nil {
return err return err
...@@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error { ...@@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostIPC { if pod.Spec.SecurityContext.HostIPC {
allowed, err := allowHostIPC(pod) allowed, err := allowHostIPC(pod)
if err != nil { if err != nil {
return err return err
...@@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error { ...@@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
} }
} }
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
for _, container := range pod.Spec.InitContainers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil return nil
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment