a
/
agola
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sentinel: skip executor that don't allow privileged containers 

if they are requested.
This commit is contained in:
Simone Gotti 2019-06-13 18:32:56 +02:00
parent 0296d594b5
commit 5c911523c5
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/services/runservice/scheduler.go
View File

@ -279,11 +279,24 @@ func (s *Runservice) chooseExecutor(ctx context.Context, rct *types.RunConfigTas
} }
func chooseExecutor(executors []*types.Executor, rct *types.RunConfigTask) *types.Executor { func chooseExecutor(executors []*types.Executor, rct *types.RunConfigTask) *types.Executor {
requiresPrivilegedContainers := false
for _, c := range rct.Runtime.Containers {
if c.Privileged == true {
requiresPrivilegedContainers = true
break
}
}
for _, e := range executors { for _, e := range executors {
if e.LastStatusUpdateTime.Add(defaultExecutorNotAliveInterval).Before(time.Now()) { if e.LastStatusUpdateTime.Add(defaultExecutorNotAliveInterval).Before(time.Now()) {
continue continue
} }
// skip executor provileged containers are required but not allowed
if requiresPrivilegedContainers == true && e.AllowPrivilegedContainers == false {
continue
}
// if arch is not defined use any executor arch // if arch is not defined use any executor arch
if rct.Runtime.Arch != "" { if rct.Runtime.Arch != "" {
hasArch := false hasArch := false

32
internal/services/runservice/scheduler_test.go
View File

@ -572,6 +572,13 @@ func TestChooseExecutor(t *testing.T) {
return e return e
}() }()
executorOKAllowsPriviledContainers := func() *types.Executor {
e := executorOK.DeepCopy()
e.ID = "executorOKAllowsPrivilegedContainers"
e.AllowPrivilegedContainers = true
return e
}()
// Only primary and the required variables for this test are set // Only primary and the required variables for this test are set
rct := &types.RunConfigTask{ rct := &types.RunConfigTask{
ID: "task01", ID: "task01",
@ -581,6 +588,19 @@ func TestChooseExecutor(t *testing.T) {
}, },
} }
rctWithPrivilegedContainers := &types.RunConfigTask{
ID: "task01",
Name: "task01",
Runtime: &types.Runtime{Type: types.RuntimeType("pod"),
Arch: common.ArchAMD64,
Containers: []*types.Container{
{
Privileged: true,
},
},
},
}
tests := []struct { tests := []struct {
name string name string
executors []*types.Executor executors []*types.Executor
@ -624,6 +644,18 @@ func TestChooseExecutor(t *testing.T) {
rct: rct, rct: rct,
out: executorOKMultipleArchs, out: executorOKMultipleArchs,
}, },
{
name: "test single executor without allowed privileged container but privileged containers are required",
executors: []*types.Executor{executorOK},
rct: rctWithPrivilegedContainers,
out: nil,
},
{
name: "test single executor with allowed privileged container and privileged containers are required",
executors: []*types.Executor{executorOKAllowsPriviledContainers},
rct: rctWithPrivilegedContainers,
out: executorOKAllowsPriviledContainers,
},
} }
for _, tt := range tests { for _, tt := range tests {