@@ -27,7 +27,24 @@ import (
27
27
28
28
// Check whether we have the capabilities to run the specified pod.
29
29
func canRunPod (pod * api.Pod ) error {
30
- if pod .Spec .SecurityContext != nil && pod .Spec .SecurityContext .HostNetwork {
30
+ if ! capabilities .Get ().AllowPrivileged {
31
+ for _ , container := range pod .Spec .Containers {
32
+ if securitycontext .HasPrivilegedRequest (& container ) {
33
+ return fmt .Errorf ("pod with UID %q specified privileged container, but is disallowed" , pod .UID )
34
+ }
35
+ }
36
+ for _ , container := range pod .Spec .InitContainers {
37
+ if securitycontext .HasPrivilegedRequest (& container ) {
38
+ return fmt .Errorf ("pod with UID %q specified privileged init container, but is disallowed" , pod .UID )
39
+ }
40
+ }
41
+ }
42
+
43
+ if pod .Spec .SecurityContext == nil {
44
+ return nil
45
+ }
46
+
47
+ if pod .Spec .SecurityContext .HostNetwork {
31
48
allowed , err := allowHostNetwork (pod )
32
49
if err != nil {
33
50
return err
@@ -37,7 +54,7 @@ func canRunPod(pod *api.Pod) error {
37
54
}
38
55
}
39
56
40
- if pod .Spec .SecurityContext != nil && pod . Spec . SecurityContext .HostPID {
57
+ if pod .Spec .SecurityContext .HostPID {
41
58
allowed , err := allowHostPID (pod )
42
59
if err != nil {
43
60
return err
@@ -47,7 +64,7 @@ func canRunPod(pod *api.Pod) error {
47
64
}
48
65
}
49
66
50
- if pod .Spec .SecurityContext != nil && pod . Spec . SecurityContext .HostIPC {
67
+ if pod .Spec .SecurityContext .HostIPC {
51
68
allowed , err := allowHostIPC (pod )
52
69
if err != nil {
53
70
return err
@@ -57,18 +74,6 @@ func canRunPod(pod *api.Pod) error {
57
74
}
58
75
}
59
76
60
- if ! capabilities .Get ().AllowPrivileged {
61
- for _ , container := range pod .Spec .Containers {
62
- if securitycontext .HasPrivilegedRequest (& container ) {
63
- return fmt .Errorf ("pod with UID %q specified privileged container, but is disallowed" , pod .UID )
64
- }
65
- }
66
- for _ , container := range pod .Spec .InitContainers {
67
- if securitycontext .HasPrivilegedRequest (& container ) {
68
- return fmt .Errorf ("pod with UID %q specified privileged container, but is disallowed" , pod .UID )
69
- }
70
- }
71
- }
72
77
return nil
73
78
}
74
79
0 commit comments