From 1b4871b3c4715553641a1b4918a1318fd5990836 Mon Sep 17 00:00:00 2001
From: Thor-wl <13164644535@163.com>
Date: Wed, 11 May 2022 15:53:48 +0800
Subject: [PATCH] fix admission webhook that allow privilege container to pass
 the validation

Signed-off-by: Thor-wl <13164644535@163.com>
---
 cmd/webhook-manager/app/options/options.go          |  3 ---
 cmd/webhook-manager/app/server.go                   |  9 +++++++++
 .../webhook-manager/gen-admission-secret.sh         |  2 +-
 pkg/webhooks/admission/jobs/validate/admit_job.go   | 13 -------------
 4 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/cmd/webhook-manager/app/options/options.go b/cmd/webhook-manager/app/options/options.go
index e3bcdaa4c92..4376bbedfe3 100644
--- a/cmd/webhook-manager/app/options/options.go
+++ b/cmd/webhook-manager/app/options/options.go
@@ -73,15 +73,12 @@ func (c *Config) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&c.PrintVersion, "version", false, "Show version and quit")
 	fs.Float32Var(&c.KubeClientOptions.QPS, "kube-api-qps", defaultQPS, "QPS to use while talking with kubernetes apiserver")
 	fs.IntVar(&c.KubeClientOptions.Burst, "kube-api-burst", defaultBurst, "Burst to use while talking with kubernetes apiserver")
-
 	fs.StringVar(&c.CaCertFile, "ca-cert-file", c.CaCertFile, "File containing the x509 Certificate for HTTPS.")
 	fs.StringVar(&c.WebhookNamespace, "webhook-namespace", "", "The namespace of this webhook")
 	fs.StringVar(&c.WebhookName, "webhook-service-name", "", "The name of this webhook")
 	fs.StringVar(&c.WebhookURL, "webhook-url", "", "The url of this webhook")
 	fs.StringVar(&c.EnabledAdmission, "enabled-admission", defaultEnabledAdmission, "enabled admission webhooks")
-
 	fs.StringVar(&c.SchedulerName, "scheduler-name", defaultSchedulerName, "Volcano will handle pods whose .spec.SchedulerName is same as scheduler-name")
-
 	fs.StringVar(&c.ConfigPath, "admission-conf", "", "The configmap file of this webhook")
 }
 
diff --git a/cmd/webhook-manager/app/server.go b/cmd/webhook-manager/app/server.go
index 80bc191dbf0..058edf7186b 100644
--- a/cmd/webhook-manager/app/server.go
+++ b/cmd/webhook-manager/app/server.go
@@ -28,6 +28,7 @@ import (
 	corev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog"
+	"k8s.io/kubernetes/pkg/capabilities"
 
 	"volcano.sh/apis/pkg/apis/scheduling/scheme"
 	"volcano.sh/volcano/cmd/webhook-manager/app/options"
@@ -39,6 +40,14 @@ import (
 
 // Run start the service of admission controller.
 func Run(config *options.Config) error {
+	capabilities.Initialize(capabilities.Capabilities{
+		AllowPrivileged: true,
+		PrivilegedSources: capabilities.PrivilegedSources{
+			HostNetworkSources: []string{},
+			HostPIDSources:     []string{},
+			HostIPCSources:     []string{},
+		},
+	})
 	if config.PrintVersion {
 		version.PrintVersionAndExit()
 		return nil
diff --git a/installer/dockerfile/webhook-manager/gen-admission-secret.sh b/installer/dockerfile/webhook-manager/gen-admission-secret.sh
index cc2e0835dfd..db8ca681132 100755
--- a/installer/dockerfile/webhook-manager/gen-admission-secret.sh
+++ b/installer/dockerfile/webhook-manager/gen-admission-secret.sh
@@ -5,7 +5,7 @@ set -e
 usage() {
     cat <<EOF
 Generate certificate suitable for use with an admission controller service.
-This script uses k8s' CertificateSigningRequest API to a generate a
+This script uses k8s' CertificateSigningRequest API to generate a
 certificate signed by k8s CA suitable for use with webhook
 services. This requires permissions to create and approve CSR. See
 https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster for
diff --git a/pkg/webhooks/admission/jobs/validate/admit_job.go b/pkg/webhooks/admission/jobs/validate/admit_job.go
index caaa8657117..19cf124e877 100644
--- a/pkg/webhooks/admission/jobs/validate/admit_job.go
+++ b/pkg/webhooks/admission/jobs/validate/admit_job.go
@@ -284,19 +284,6 @@ func validateTaskTemplate(task v1alpha1.TaskSpec, job *v1alpha1.Job, index int)
 	var coreTemplateSpec k8score.PodTemplateSpec
 	k8scorev1.Convert_v1_PodTemplateSpec_To_core_PodTemplateSpec(&v1PodTemplate.Template, &coreTemplateSpec, nil)
 
-	// Skip verify container SecurityContex.Privileged as it depends on
-	// the kube-apiserver `allow-privileged` flag.
-	for i, container := range coreTemplateSpec.Spec.InitContainers {
-		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
-			coreTemplateSpec.Spec.InitContainers[i].SecurityContext.Privileged = nil
-		}
-	}
-	for i, container := range coreTemplateSpec.Spec.Containers {
-		if container.SecurityContext != nil && container.SecurityContext.Privileged != nil {
-			coreTemplateSpec.Spec.Containers[i].SecurityContext.Privileged = nil
-		}
-	}
-
 	corePodTemplate := k8score.PodTemplate{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      task.Name,