From b3e0ad51dc04c34054c12004ae514ce1b14d637d Mon Sep 17 00:00:00 2001 From: Antonio Murdaca Date: Sat, 3 Mar 2018 19:41:17 +0100 Subject: [PATCH] UPSTREAM: 58977: Fix pod sandbox privilege. Signed-off-by: Antonio Murdaca --- .../kubernetes/pkg/kubelet/container/helpers.go | 2 +- .../pkg/kubelet/container/helpers_test.go | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers.go b/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers.go index 32dbc745b304..cc3f18811313 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers.go @@ -302,7 +302,7 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container { // HasPrivilegedContainer returns true if any of the containers in the pod are privileged. func HasPrivilegedContainer(pod *v1.Pod) bool { - for _, c := range pod.Spec.Containers { + for _, c := range append(pod.Spec.Containers, pod.Spec.InitContainers...) { if c.SecurityContext != nil && c.SecurityContext.Privileged != nil && *c.SecurityContext.Privileged { diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers_test.go b/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers_test.go index f907e83e8250..14d9d6e6c8c8 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers_test.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/container/helpers_test.go @@ -254,6 +254,20 @@ func TestHasPrivilegedContainer(t *testing.T) { t.Errorf("%s expected %t but got %t", k, v.expected, actual) } } + // Test init containers as well. + for k, v := range tests { + pod := &v1.Pod{ + Spec: v1.PodSpec{ + InitContainers: []v1.Container{ + {SecurityContext: v.securityContext}, + }, + }, + } + actual := HasPrivilegedContainer(pod) + if actual != v.expected { + t.Errorf("%s expected %t but got %t", k, v.expected, actual) + } + } } func TestMakePortMappings(t *testing.T) {