sentinel: skip executor that don't allow privileged containers

if they are requested.
This commit is contained in:
Simone Gotti 2019-06-13 18:32:56 +02:00
parent 0296d594b5
commit 5c911523c5
2 changed files with 45 additions and 0 deletions

View File

@ -279,11 +279,24 @@ func (s *Runservice) chooseExecutor(ctx context.Context, rct *types.RunConfigTas
}
func chooseExecutor(executors []*types.Executor, rct *types.RunConfigTask) *types.Executor {
requiresPrivilegedContainers := false
for _, c := range rct.Runtime.Containers {
if c.Privileged == true {
requiresPrivilegedContainers = true
break
}
}
for _, e := range executors {
if e.LastStatusUpdateTime.Add(defaultExecutorNotAliveInterval).Before(time.Now()) {
continue
}
// skip executor provileged containers are required but not allowed
if requiresPrivilegedContainers == true && e.AllowPrivilegedContainers == false {
continue
}
// if arch is not defined use any executor arch
if rct.Runtime.Arch != "" {
hasArch := false

View File

@ -572,6 +572,13 @@ func TestChooseExecutor(t *testing.T) {
return e
}()
executorOKAllowsPriviledContainers := func() *types.Executor {
e := executorOK.DeepCopy()
e.ID = "executorOKAllowsPrivilegedContainers"
e.AllowPrivilegedContainers = true
return e
}()
// Only primary and the required variables for this test are set
rct := &types.RunConfigTask{
ID: "task01",
@ -581,6 +588,19 @@ func TestChooseExecutor(t *testing.T) {
},
}
rctWithPrivilegedContainers := &types.RunConfigTask{
ID: "task01",
Name: "task01",
Runtime: &types.Runtime{Type: types.RuntimeType("pod"),
Arch: common.ArchAMD64,
Containers: []*types.Container{
{
Privileged: true,
},
},
},
}
tests := []struct {
name string
executors []*types.Executor
@ -624,6 +644,18 @@ func TestChooseExecutor(t *testing.T) {
rct: rct,
out: executorOKMultipleArchs,
},
{
name: "test single executor without allowed privileged container but privileged containers are required",
executors: []*types.Executor{executorOK},
rct: rctWithPrivilegedContainers,
out: nil,
},
{
name: "test single executor with allowed privileged container and privileged containers are required",
executors: []*types.Executor{executorOKAllowsPriviledContainers},
rct: rctWithPrivilegedContainers,
out: executorOKAllowsPriviledContainers,
},
}
for _, tt := range tests {