sentinel: skip executor that don't allow privileged containers

if they are requested.
2019-06-13 18:32:56 +02:00 · 2019-06-13 18:32:56 +02:00 · 5c911523c5
parent 0296d594b5
commit 5c911523c5
2 changed files with 45 additions and 0 deletions
--- a/internal/services/runservice/scheduler.go
+++ b/internal/services/runservice/scheduler.go
@ -279,11 +279,24 @@ func (s *Runservice) chooseExecutor(ctx context.Context, rct *types.RunConfigTas
 }

 func chooseExecutor(executors []*types.Executor, rct *types.RunConfigTask) *types.Executor {
+	requiresPrivilegedContainers := false
+	for _, c := range rct.Runtime.Containers {
+		if c.Privileged == true {
+			requiresPrivilegedContainers = true
+			break
+		}
+	}
+
 	for _, e := range executors {
 		if e.LastStatusUpdateTime.Add(defaultExecutorNotAliveInterval).Before(time.Now()) {
 			continue
 		}

+		// skip executor provileged containers are required but not allowed
+		if requiresPrivilegedContainers == true && e.AllowPrivilegedContainers == false {
+			continue
+		}
+
 		// if arch is not defined use any executor arch
 		if rct.Runtime.Arch != "" {
 			hasArch := false
--- a/internal/services/runservice/scheduler_test.go
+++ b/internal/services/runservice/scheduler_test.go
@ -572,6 +572,13 @@ func TestChooseExecutor(t *testing.T) {
 		return e
 	}()

+	executorOKAllowsPriviledContainers := func() *types.Executor {
+		e := executorOK.DeepCopy()
+		e.ID = "executorOKAllowsPrivilegedContainers"
+		e.AllowPrivilegedContainers = true
+		return e
+	}()
+
 	// Only primary and the required variables for this test are set
 	rct := &types.RunConfigTask{
 		ID:   "task01",
@ -581,6 +588,19 @@ func TestChooseExecutor(t *testing.T) {
 		},
 	}

+	rctWithPrivilegedContainers := &types.RunConfigTask{
+		ID:   "task01",
+		Name: "task01",
+		Runtime: &types.Runtime{Type: types.RuntimeType("pod"),
+			Arch: common.ArchAMD64,
+			Containers: []*types.Container{
+				{
+					Privileged: true,
+				},
+			},
+		},
+	}
+
 	tests := []struct {
 		name      string
 		executors []*types.Executor
@ -624,6 +644,18 @@ func TestChooseExecutor(t *testing.T) {
 			rct:       rct,
 			out:       executorOKMultipleArchs,
 		},
+		{
+			name:      "test single executor without allowed privileged container but privileged containers are required",
+			executors: []*types.Executor{executorOK},
+			rct:       rctWithPrivilegedContainers,
+			out:       nil,
+		},
+		{
+			name:      "test single executor with allowed privileged container and privileged containers are required",
+			executors: []*types.Executor{executorOKAllowsPriviledContainers},
+			rct:       rctWithPrivilegedContainers,
+			out:       executorOKAllowsPriviledContainers,
+		},
 	}

 	for _, tt := range tests {