sentinel: skip executor that don't allow privileged containers
if they are requested.
This commit is contained in:
parent
0296d594b5
commit
5c911523c5
|
@ -279,11 +279,24 @@ func (s *Runservice) chooseExecutor(ctx context.Context, rct *types.RunConfigTas
|
|||
}
|
||||
|
||||
func chooseExecutor(executors []*types.Executor, rct *types.RunConfigTask) *types.Executor {
|
||||
requiresPrivilegedContainers := false
|
||||
for _, c := range rct.Runtime.Containers {
|
||||
if c.Privileged == true {
|
||||
requiresPrivilegedContainers = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
for _, e := range executors {
|
||||
if e.LastStatusUpdateTime.Add(defaultExecutorNotAliveInterval).Before(time.Now()) {
|
||||
continue
|
||||
}
|
||||
|
||||
// skip executor provileged containers are required but not allowed
|
||||
if requiresPrivilegedContainers == true && e.AllowPrivilegedContainers == false {
|
||||
continue
|
||||
}
|
||||
|
||||
// if arch is not defined use any executor arch
|
||||
if rct.Runtime.Arch != "" {
|
||||
hasArch := false
|
||||
|
|
|
@ -572,6 +572,13 @@ func TestChooseExecutor(t *testing.T) {
|
|||
return e
|
||||
}()
|
||||
|
||||
executorOKAllowsPriviledContainers := func() *types.Executor {
|
||||
e := executorOK.DeepCopy()
|
||||
e.ID = "executorOKAllowsPrivilegedContainers"
|
||||
e.AllowPrivilegedContainers = true
|
||||
return e
|
||||
}()
|
||||
|
||||
// Only primary and the required variables for this test are set
|
||||
rct := &types.RunConfigTask{
|
||||
ID: "task01",
|
||||
|
@ -581,6 +588,19 @@ func TestChooseExecutor(t *testing.T) {
|
|||
},
|
||||
}
|
||||
|
||||
rctWithPrivilegedContainers := &types.RunConfigTask{
|
||||
ID: "task01",
|
||||
Name: "task01",
|
||||
Runtime: &types.Runtime{Type: types.RuntimeType("pod"),
|
||||
Arch: common.ArchAMD64,
|
||||
Containers: []*types.Container{
|
||||
{
|
||||
Privileged: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
executors []*types.Executor
|
||||
|
@ -624,6 +644,18 @@ func TestChooseExecutor(t *testing.T) {
|
|||
rct: rct,
|
||||
out: executorOKMultipleArchs,
|
||||
},
|
||||
{
|
||||
name: "test single executor without allowed privileged container but privileged containers are required",
|
||||
executors: []*types.Executor{executorOK},
|
||||
rct: rctWithPrivilegedContainers,
|
||||
out: nil,
|
||||
},
|
||||
{
|
||||
name: "test single executor with allowed privileged container and privileged containers are required",
|
||||
executors: []*types.Executor{executorOKAllowsPriviledContainers},
|
||||
rct: rctWithPrivilegedContainers,
|
||||
out: executorOKAllowsPriviledContainers,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
|
|
Loading…
Reference in New Issue