// Determined whether the specified pod is allowed to use host networking func allowHostNetwork(pod *api.Pod) (bool, error) { podSource, err := getPodSource(pod) if err != nil { return false, err } for _, source := range capabilities.Get().HostNetworkSources { if source == podSource { return true, nil } } return false, nil }
// Check whether we have the capabilities to run the specified pod. func canRunPod(pod *api.Pod) error { if pod.Spec.HostNetwork { allowed, err := allowHostNetwork(pod) if err != nil { return err } if !allowed { return fmt.Errorf("pod with UID %q specified host networking, but is disallowed", pod.UID) } } if !capabilities.Get().AllowPrivileged { for _, container := range pod.Spec.Containers { if securitycontext.HasPrivilegedRequest(&container) { return fmt.Errorf("pod with UID %q specified privileged container, but is disallowed", pod.UID) } } } return nil }