// Determined whether the specified pod is allowed to use host networking
func allowHostNetwork(pod *api.Pod) (bool, error) {
podSource, err := getPodSource(pod)
if err != nil {
return false, err
}
for _, source := range capabilities.Get().HostNetworkSources {
if source == podSource {
return true, nil
}
}
return false, nil
}
// Check whether we have the capabilities to run the specified pod.
func canRunPod(pod *api.Pod) error {
if pod.Spec.HostNetwork {
allowed, err := allowHostNetwork(pod)
if err != nil {
return err
}
if !allowed {
return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID)
}
}
if !capabilities.Get().AllowPrivileged {
for _, container := range pod.Spec.Containers {
if securitycontext.HasPrivilegedRequest(&container) {
return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID)
}
}
}
return nil
}
