Merge pull request #90569 from brianpursley/kubectl-721

Added --privileged flag to kubectl run

Kubernetes-commit: 5b76272c353ab345de83238eddb7224c71443b91

Godeps/Godeps.json

@@ -756,7 +756,7 @@
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
-			"Rev": "1a0ee4aea6d1"
+			"Rev": "96f75771c510"
 		},
 		{
 			"ImportPath": "k8s.io/cli-runtime",

go.mod

@@ -35,7 +35,7 @@ require (
 	golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f
 	gopkg.in/yaml.v2 v2.2.8
 	k8s.io/api v0.0.0-20200616091053-96dd8b8608bc
-	k8s.io/apimachinery v0.0.0-20200616090325-1a0ee4aea6d1
+	k8s.io/apimachinery v0.0.0-20200616090325-96f75771c510
 	k8s.io/cli-runtime v0.0.0-20200616102832-a8624640395d
 	k8s.io/client-go v0.0.0-20200616091859-0adb702ae49b
 	k8s.io/component-base v0.0.0-20200616093421-8d48f868cdb4
@@ -52,7 +52,7 @@ replace (
 	golang.org/x/sys => golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a // pinned to release-branch.go1.13
 	golang.org/x/tools => golang.org/x/tools v0.0.0-20190821162956-65e3620a7ae7 // pinned to release-branch.go1.13
 	k8s.io/api => k8s.io/api v0.0.0-20200616091053-96dd8b8608bc
-	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200616090325-1a0ee4aea6d1
+	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200616090325-96f75771c510
 	k8s.io/cli-runtime => k8s.io/cli-runtime v0.0.0-20200616102832-a8624640395d
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20200616091859-0adb702ae49b
 	k8s.io/code-generator => k8s.io/code-generator v0.0.0-20200616085743-b88f4eb8c2e2

go.sum

@@ -443,7 +443,7 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 k8s.io/api v0.0.0-20200616091053-96dd8b8608bc/go.mod h1:zfjW4fcGaY49eODR10Bw016NHJLk9kfHjL/GnXGO0Hc=
-k8s.io/apimachinery v0.0.0-20200616090325-1a0ee4aea6d1/go.mod h1:diAekxQB6O2LunkgrS6bHwK4dfE2K8KIxK3GeFjrgBU=
+k8s.io/apimachinery v0.0.0-20200616090325-96f75771c510/go.mod h1:diAekxQB6O2LunkgrS6bHwK4dfE2K8KIxK3GeFjrgBU=
 k8s.io/cli-runtime v0.0.0-20200616102832-a8624640395d/go.mod h1:ZfYIPoi+1QDWCMDoOFJIu3ESYVhS0nD7T/N9fbw0MmE=
 k8s.io/client-go v0.0.0-20200616091859-0adb702ae49b/go.mod h1:d4bV9T69HeWSChjkEGgay7Kij96MXt/fQSai8QT22qI=
 k8s.io/code-generator v0.0.0-20200616085743-b88f4eb8c2e2/go.mod h1:6NiFnMML+4VaG+kHKew+dc+SBC3Q+5NTNQIHdJJbG3w=

pkg/cmd/run/run.go

@@ -120,6 +120,7 @@ type RunOptions struct {
 	Interactive    bool
 	LeaveStdinOpen bool
 	Port           string
+	Privileged     bool
 	Quiet          bool
 	Schedule       string
 	TTY            bool
@@ -202,6 +203,7 @@ func addRunFlags(cmd *cobra.Command, opt *RunOptions) {
 	cmd.Flags().BoolVar(&opt.Quiet, "quiet", opt.Quiet, "If true, suppress prompt messages.")
 	cmd.Flags().StringVar(&opt.Schedule, "schedule", opt.Schedule, i18n.T("A schedule in the Cron format the job should be run with."))
 	cmd.Flags().MarkDeprecated("schedule", "has no effect and will be removed in the future.")
+	cmd.Flags().BoolVar(&opt.Privileged, "privileged", opt.Privileged, i18n.T("If true, run the container in privileged mode."))
 	cmdutil.AddFieldManagerFlagVar(cmd, &opt.fieldManager, "kubectl-run")
 }
 

pkg/generate/versioned/run.go

@@ -229,6 +229,7 @@ func (BasicPod) ParamNames() []generate.GeneratorParam {
 		{Name: "requests", Required: false},
 		{Name: "limits", Required: false},
 		{Name: "serviceaccount", Required: false},
+		{Name: "privileged", Required: false},
 	}
 }
 
@@ -281,6 +282,18 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object,
 	if len(restartPolicy) == 0 {
 		restartPolicy = v1.RestartPolicyAlways
 	}
+
+	privileged, err := generate.GetBool(params, "privileged", false)
+	if err != nil {
+		return nil, err
+	}
+	var securityContext *v1.SecurityContext
+	if privileged {
+		securityContext = &v1.SecurityContext{
+			Privileged: &privileged,
+		}
+	}
+
 	pod := v1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:   name,
@@ -290,12 +303,13 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object,
 			ServiceAccountName: params["serviceaccount"],
 			Containers: []v1.Container{
 				{
-					Name:      name,
-					Image:     params["image"],
-					Stdin:     stdin,
-					StdinOnce: !leaveStdinOpen && stdin,
-					TTY:       tty,
-					Resources: resourceRequirements,
+					Name:            name,
+					Image:           params["image"],
+					Stdin:           stdin,
+					StdinOnce:       !leaveStdinOpen && stdin,
+					TTY:             tty,
+					Resources:       resourceRequirements,
+					SecurityContext: securityContext,
 				},
 			},
 			DNSPolicy:     v1.DNSClusterFirst,

pkg/generate/versioned/run_test.go

@@ -254,6 +254,32 @@ func TestGeneratePod(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "test10: privileged mode",
+			params: map[string]interface{}{
+				"name":       "foo",
+				"image":      "someimage",
+				"replicas":   "1",
+				"privileged": "true",
+			},
+			expected: &v1.Pod{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:   "foo",
+					Labels: map[string]string{"run": "foo"},
+				},
+				Spec: v1.PodSpec{
+					Containers: []v1.Container{
+						{
+							Name:            "foo",
+							Image:           "someimage",
+							SecurityContext: securityContextWithPrivilege(true),
+						},
+					},
+					DNSPolicy:     v1.DNSClusterFirst,
+					RestartPolicy: v1.RestartPolicyAlways,
+				},
+			},
+		},
 	}
 	generator := BasicPod{}
 	for _, tt := range tests {
@@ -358,3 +384,9 @@ func TestParseEnv(t *testing.T) {
 		})
 	}
 }
+
+func securityContextWithPrivilege(privileged bool) *v1.SecurityContext {
+	return &v1.SecurityContext{
+		Privileged: &privileged,
+	}
+}