Merge pull request #2222 from Thor-wl/0509-1680

allow privilege containers to pass the admission webhook validation by default
volcano-sh · May 13, 2022 · 137bf56 · 137bf56
2 parents 0434735 + f38b2bf
commit 137bf56
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 17 deletions.
diff --git a/cmd/webhook-manager/app/options/options.go b/cmd/webhook-manager/app/options/options.go
@@ -73,15 +73,12 @@ func (c *Config) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&c.PrintVersion, "version", false, "Show version and quit")
 	fs.Float32Var(&c.KubeClientOptions.QPS, "kube-api-qps", defaultQPS, "QPS to use while talking with kubernetes apiserver")
 	fs.IntVar(&c.KubeClientOptions.Burst, "kube-api-burst", defaultBurst, "Burst to use while talking with kubernetes apiserver")
-
 	fs.StringVar(&c.CaCertFile, "ca-cert-file", c.CaCertFile, "File containing the x509 Certificate for HTTPS.")
 	fs.StringVar(&c.WebhookNamespace, "webhook-namespace", "", "The namespace of this webhook")
 	fs.StringVar(&c.WebhookName, "webhook-service-name", "", "The name of this webhook")
 	fs.StringVar(&c.WebhookURL, "webhook-url", "", "The url of this webhook")
 	fs.StringVar(&c.EnabledAdmission, "enabled-admission", defaultEnabledAdmission, "enabled admission webhooks")
-
 	fs.StringVar(&c.SchedulerName, "scheduler-name", defaultSchedulerName, "Volcano will handle pods whose .spec.SchedulerName is same as scheduler-name")
-
 	fs.StringVar(&c.ConfigPath, "admission-conf", "", "The configmap file of this webhook")
 }
 

diff --git a/installer/dockerfile/webhook-manager/gen-admission-secret.sh b/installer/dockerfile/webhook-manager/gen-admission-secret.sh
@@ -5,7 +5,7 @@ set -e
 usage() {
     cat <<EOF
 Generate certificate suitable for use with an admission controller service.
-This script uses k8s' CertificateSigningRequest API to a generate a
+This script uses k8s' CertificateSigningRequest API to generate a
 certificate signed by k8s CA suitable for use with webhook
 services. This requires permissions to create and approve CSR. See
 https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for

diff --git a/pkg/webhooks/admission/jobs/validate/admit_job.go b/pkg/webhooks/admission/jobs/validate/admit_job.go
@@ -33,6 +33,7 @@ import (
 	k8scorev1 "k8s.io/kubernetes/pkg/apis/core/v1"
 	v1qos "k8s.io/kubernetes/pkg/apis/core/v1/helper/qos"
 	k8scorevalid "k8s.io/kubernetes/pkg/apis/core/validation"
+	"k8s.io/kubernetes/pkg/capabilities"
 
 	"volcano.sh/apis/pkg/apis/batch/v1alpha1"
 	schedulingv1beta1 "volcano.sh/apis/pkg/apis/scheduling/v1beta1"
@@ -44,6 +45,14 @@ import (
 )
 
 func init() {
+	capabilities.Initialize(capabilities.Capabilities{
+		AllowPrivileged: true,
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{},
+			HostPIDSources:     []string{},
+			HostIPCSources:     []string{},
+		},
+	})
 	router.RegisterAdmission(service)
 }
 
@@ -284,19 +293,6 @@ func validateTaskTemplate(task v1alpha1.TaskSpec, job *v1alpha1.Job, index int)
 	var coreTemplateSpec k8score.PodTemplateSpec
 	k8scorev1.Convert_v1_PodTemplateSpec_To_core_PodTemplateSpec(&v1PodTemplate.Template, &coreTemplateSpec, nil)
 
-	// Skip verify container SecurityContex.Privileged as it depends on
-	// the kube-apiserver `allow-privileged` flag.
-	for i, container := range coreTemplateSpec.Spec.InitContainers {
-		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
-			coreTemplateSpec.Spec.InitContainers[i].SecurityContext.Privileged = nil
-		}
-	}
-	for i, container := range coreTemplateSpec.Spec.Containers {
-		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
-			coreTemplateSpec.Spec.Containers[i].SecurityContext.Privileged = nil
-		}
-	}
-
 	corePodTemplate := k8score.PodTemplate{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      task.Name,