Merge pull request kubernetes#30466 from vishh/kubelet-as-root

Automatic merge from submit-queue [Kubelet] Check if kubelet is running as uid 0 Related to kubernetes#30176
lavalamp · Aug 15, 2016 · 921c460 · 921c460
2 parents 967dc42 + c75b61e
commit 921c460
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
@@ -35,7 +35,6 @@ import (
 	"github.com/golang/glog"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"github.com/syndtr/gocapability/capability"
 
 	"k8s.io/kubernetes/cmd/kubelet/app/options"
 	"k8s.io/kubernetes/pkg/api"
@@ -301,10 +300,22 @@ func Run(s *options.KubeletServer, kcfg *KubeletConfig) error {
 	return err
 }
 
+func checkPermissions() error {
+	if uid := os.Getuid(); uid != 0 {
+		return fmt.Errorf("Kubelet needs to run as uid `0`. It is being run as %d", uid)
+	}
+	// TODO: Check if kubelet is running in the `initial` user namespace.
+	// http://man7.org/linux/man-pages/man7/user_namespaces.7.html
+	return nil
+}
+
 func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
 	if s.ExitOnLockContention && s.LockFilePath == "" {
 		return errors.New("cannot exit on lock file contention: no lock file specified")
 	}
+	if err := checkPermissions(); err != nil {
+		glog.Error(err)
+	}
 
 	done := make(chan struct{})
 	if s.LockFilePath != "" {
@@ -325,15 +336,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) {
 		glog.Errorf("unable to register configz: %s", err)
 	}
 
-	// check if we have CAP_SYS_ADMIN to setgroup properly
-	pid, err := capability.NewPid(os.Getpid())
-	if err != nil {
-		return err
-	}
-	if !pid.Get(capability.EFFECTIVE, capability.CAP_SYS_ADMIN) {
-		return fmt.Errorf("Kubelet needs the CAP_SYS_ADMIN capability. Please run kubelet as root or in a privileged container")
-	}
-
 	if kcfg == nil {
 		cfg, err := UnsecuredKubeletConfig(s)
 		if err != nil {