From fe0f0efa7237f676faf5a94201b2f18982ceef34 Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date: Thu, 20 Jun 2019 01:39:59 +0200
Subject: [PATCH] Add build-arg for --allow-privileged

https://github.com/kubernetes/kubernetes/pull/77820
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node

story: 2005124

Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
---
 dockerfiles/kubernetes-apiserver/Dockerfile          | 2 ++
 dockerfiles/kubernetes-apiserver/config              | 3 ---
 dockerfiles/kubernetes-controller-manager/Dockerfile | 2 ++
 dockerfiles/kubernetes-controller-manager/config     | 3 ---
 dockerfiles/kubernetes-kubelet/Dockerfile            | 2 ++
 dockerfiles/kubernetes-kubelet/config                | 3 ---
 dockerfiles/kubernetes-proxy/Dockerfile              | 3 +++
 dockerfiles/kubernetes-proxy/config                  | 3 ---
 dockerfiles/kubernetes-scheduler/Dockerfile          | 2 ++
 dockerfiles/kubernetes-scheduler/config              | 3 ---
 playbooks/container-builder.yaml                     | 4 ++++
 11 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/dockerfiles/kubernetes-apiserver/Dockerfile b/dockerfiles/kubernetes-apiserver/Dockerfile
index 6335abb8e4..7e5498ed02 100644
--- a/dockerfiles/kubernetes-apiserver/Dockerfile
+++ b/dockerfiles/kubernetes-apiserver/Dockerfile
@@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 
 FROM fedora:rawhide
 ARG KUBE_VERSION
@@ -30,6 +31,7 @@ COPY service.template config.json.template /exports/
 # however, this would require hard-coding the container name
 
 COPY apiserver config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/usr/local/bin/
 COPY --from=0 /root/kubectl /exports/hostfs/usr/local/bin/
 RUN chmod +x /exports/hostfs/usr/local/bin/kubectl && \
diff --git a/dockerfiles/kubernetes-apiserver/config b/dockerfiles/kubernetes-apiserver/config
index 8c0a28493f..d6226c7dce 100644
--- a/dockerfiles/kubernetes-apiserver/config
+++ b/dockerfiles/kubernetes-apiserver/config
@@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"
 
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
diff --git a/dockerfiles/kubernetes-controller-manager/Dockerfile b/dockerfiles/kubernetes-controller-manager/Dockerfile
index 2c7fd9b6d4..ecb3608ef6 100644
--- a/dockerfiles/kubernetes-controller-manager/Dockerfile
+++ b/dockerfiles/kubernetes-controller-manager/Dockerfile
@@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-controller-manager-amd64:${KUBE_VERSION}
 
 ENV container=docker
@@ -17,6 +18,7 @@ COPY launch.sh /usr/bin/kube-controller-manager-docker.sh
 COPY service.template config.json.template /exports/
 
 COPY controller-manager config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
     cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
     cp /etc/kubernetes/controller-manager /exports/hostfs/etc/kubernetes/
diff --git a/dockerfiles/kubernetes-controller-manager/config b/dockerfiles/kubernetes-controller-manager/config
index 8c0a28493f..d6226c7dce 100644
--- a/dockerfiles/kubernetes-controller-manager/config
+++ b/dockerfiles/kubernetes-controller-manager/config
@@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"
 
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
diff --git a/dockerfiles/kubernetes-kubelet/Dockerfile b/dockerfiles/kubernetes-kubelet/Dockerfile
index 4b5c29c3c6..39d3173c8c 100644
--- a/dockerfiles/kubernetes-kubelet/Dockerfile
+++ b/dockerfiles/kubernetes-kubelet/Dockerfile
@@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/hyperkube-amd64:${KUBE_VERSION}
 
 ENV container=docker
@@ -14,6 +15,7 @@ LABEL bzcomponent="$NAME" \
 
 COPY launch.sh /usr/bin/kubelet-docker.sh
 COPY kubelet config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 
 COPY manifest.json tmpfiles.template service.template config.json.template /exports/
 
diff --git a/dockerfiles/kubernetes-kubelet/config b/dockerfiles/kubernetes-kubelet/config
index 8c0a28493f..d6226c7dce 100644
--- a/dockerfiles/kubernetes-kubelet/config
+++ b/dockerfiles/kubernetes-kubelet/config
@@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"
 
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
diff --git a/dockerfiles/kubernetes-proxy/Dockerfile b/dockerfiles/kubernetes-proxy/Dockerfile
index a4a16c7a69..6c376bb301 100644
--- a/dockerfiles/kubernetes-proxy/Dockerfile
+++ b/dockerfiles/kubernetes-proxy/Dockerfile
@@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-proxy-amd64:${KUBE_VERSION}
 ENV container=docker
 
@@ -16,6 +17,8 @@ COPY launch.sh /usr/bin/kube-proxy-docker.sh
 COPY service.template config.json.template /exports/
 
 COPY proxy config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
+
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
     cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
     cp /etc/kubernetes/proxy /exports/hostfs/etc/kubernetes/
diff --git a/dockerfiles/kubernetes-proxy/config b/dockerfiles/kubernetes-proxy/config
index 8c0a28493f..d6226c7dce 100644
--- a/dockerfiles/kubernetes-proxy/config
+++ b/dockerfiles/kubernetes-proxy/config
@@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"
 
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
diff --git a/dockerfiles/kubernetes-scheduler/Dockerfile b/dockerfiles/kubernetes-scheduler/Dockerfile
index 6731c9d8cd..c223b866ca 100644
--- a/dockerfiles/kubernetes-scheduler/Dockerfile
+++ b/dockerfiles/kubernetes-scheduler/Dockerfile
@@ -1,4 +1,5 @@
 ARG KUBE_VERSION=v1.13.0
+ARG ADD_KUBE_ALLOW_PRIV=false
 FROM gcr.io/google-containers/kube-scheduler-amd64:${KUBE_VERSION}
 ENV container=docker
 
@@ -16,6 +17,7 @@ COPY launch.sh /usr/bin/kube-scheduler-docker.sh
 COPY service.template config.json.template /exports/
 
 COPY scheduler config /etc/kubernetes/
+RUN [ $ADD_KUBE_ALLOW_PRIV = "true" ] && echo "KUBE_ALLOW_PRIV=\"--allow-privileged=false\"" >> /etc/kubernetes/config || true
 RUN mkdir -p /exports/hostfs/etc/kubernetes && \
     cp /etc/kubernetes/config /exports/hostfs/etc/kubernetes/ && \
     cp /etc/kubernetes/scheduler /exports/hostfs/etc/kubernetes/
diff --git a/dockerfiles/kubernetes-scheduler/config b/dockerfiles/kubernetes-scheduler/config
index 8c0a28493f..d6226c7dce 100644
--- a/dockerfiles/kubernetes-scheduler/config
+++ b/dockerfiles/kubernetes-scheduler/config
@@ -15,8 +15,5 @@ KUBE_LOGTOSTDERR="--logtostderr=true"
 # journal message level, 0 is debug
 KUBE_LOG_LEVEL="--v=0"
 
-# Should this cluster be allowed to run privileged docker containers
-KUBE_ALLOW_PRIV="--allow-privileged=false"
-
 # How the controller-manager, scheduler, and proxy find the apiserver
 KUBE_MASTER="--master=http://127.0.0.1:8080"
diff --git a/playbooks/container-builder.yaml b/playbooks/container-builder.yaml
index cc7cbcce83..2f747b7b62 100644
--- a/playbooks/container-builder.yaml
+++ b/playbooks/container-builder.yaml
@@ -22,6 +22,7 @@
             tag: "{{kubernetes_version_v1_11}}"
             buildargs:
               KUBE_VERSION: "{{kubernetes_version_v1_11}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
             push: no
           with_items: "{{ kubernetes_images }}"
           retries: 10
@@ -35,6 +36,7 @@
             tag: "{{kubernetes_version_v1_12}}"
             buildargs:
               KUBE_VERSION: "{{kubernetes_version_v1_12}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
             push: no
           with_items: "{{ kubernetes_images }}"
           retries: 10
@@ -48,6 +50,7 @@
             tag: "{{kubernetes_version_v1_13}}"
             buildargs:
               KUBE_VERSION: "{{kubernetes_version_v1_13}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
             push: no
           with_items: "{{ kubernetes_images }}"
           retries: 10
@@ -61,6 +64,7 @@
             tag: "{{kubernetes_version_v1_14}}"
             buildargs:
               KUBE_VERSION: "{{kubernetes_version_v1_14}}"
+              ADD_KUBE_ALLOW_PRIV: "true"
             push: no
           with_items: "{{ kubernetes_images }}"
           retries: 10