From 683f5c08eb8928964944cd35b9d4e96374d544e7 Mon Sep 17 00:00:00 2001 From: Brian Pursley Date: Tue, 28 Apr 2020 16:30:59 -0400 Subject: [PATCH] Added --privileged flag to kubectl run Kubernetes-commit: cd005c1da41e54971319030687cecafec4884868 --- pkg/cmd/run/run.go | 2 ++ pkg/generate/versioned/run.go | 26 ++++++++++++++++++------ pkg/generate/versioned/run_test.go | 32 ++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+), 6 deletions(-) diff --git a/pkg/cmd/run/run.go b/pkg/cmd/run/run.go index 3c7252e2..26aaffe0 100644 --- a/pkg/cmd/run/run.go +++ b/pkg/cmd/run/run.go @@ -120,6 +120,7 @@ type RunOptions struct { Interactive bool LeaveStdinOpen bool Port string + Privileged bool Quiet bool Schedule string TTY bool @@ -202,6 +203,7 @@ func addRunFlags(cmd *cobra.Command, opt *RunOptions) { cmd.Flags().BoolVar(&opt.Quiet, "quiet", opt.Quiet, "If true, suppress prompt messages.") cmd.Flags().StringVar(&opt.Schedule, "schedule", opt.Schedule, i18n.T("A schedule in the Cron format the job should be run with.")) cmd.Flags().MarkDeprecated("schedule", "has no effect and will be removed in the future.") + cmd.Flags().BoolVar(&opt.Privileged, "privileged", opt.Privileged, i18n.T("If true, run the container in privileged mode.")) cmdutil.AddFieldManagerFlagVar(cmd, &opt.fieldManager, "kubectl-run") } diff --git a/pkg/generate/versioned/run.go b/pkg/generate/versioned/run.go index 4f70a9d4..6eade8d9 100644 --- a/pkg/generate/versioned/run.go +++ b/pkg/generate/versioned/run.go @@ -229,6 +229,7 @@ func (BasicPod) ParamNames() []generate.GeneratorParam { {Name: "requests", Required: false}, {Name: "limits", Required: false}, {Name: "serviceaccount", Required: false}, + {Name: "privileged", Required: false}, } } @@ -281,6 +282,18 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object, if len(restartPolicy) == 0 { restartPolicy = v1.RestartPolicyAlways } + + privileged, err := generate.GetBool(params, "privileged", false) + if err != nil { + return nil, err + } + var securityContext *v1.SecurityContext + if privileged { + securityContext = &v1.SecurityContext{ + Privileged: &privileged, + } + } + pod := v1.Pod{ ObjectMeta: metav1.ObjectMeta{ Name: name, @@ -290,12 +303,13 @@ func (BasicPod) Generate(genericParams map[string]interface{}) (runtime.Object, ServiceAccountName: params["serviceaccount"], Containers: []v1.Container{ { - Name: name, - Image: params["image"], - Stdin: stdin, - StdinOnce: !leaveStdinOpen && stdin, - TTY: tty, - Resources: resourceRequirements, + Name: name, + Image: params["image"], + Stdin: stdin, + StdinOnce: !leaveStdinOpen && stdin, + TTY: tty, + Resources: resourceRequirements, + SecurityContext: securityContext, }, }, DNSPolicy: v1.DNSClusterFirst, diff --git a/pkg/generate/versioned/run_test.go b/pkg/generate/versioned/run_test.go index 79cc4e46..081e7bb5 100644 --- a/pkg/generate/versioned/run_test.go +++ b/pkg/generate/versioned/run_test.go @@ -254,6 +254,32 @@ func TestGeneratePod(t *testing.T) { }, }, }, + { + name: "test10: privileged mode", + params: map[string]interface{}{ + "name": "foo", + "image": "someimage", + "replicas": "1", + "privileged": "true", + }, + expected: &v1.Pod{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo", + Labels: map[string]string{"run": "foo"}, + }, + Spec: v1.PodSpec{ + Containers: []v1.Container{ + { + Name: "foo", + Image: "someimage", + SecurityContext: securityContextWithPrivilege(true), + }, + }, + DNSPolicy: v1.DNSClusterFirst, + RestartPolicy: v1.RestartPolicyAlways, + }, + }, + }, } generator := BasicPod{} for _, tt := range tests { @@ -358,3 +384,9 @@ func TestParseEnv(t *testing.T) { }) } } + +func securityContextWithPrivilege(privileged bool) *v1.SecurityContext { + return &v1.SecurityContext{ + Privileged: &privileged, + } +}