From 4fece5843ab5929f0e15ecc2cdabf8ad10738b24 Mon Sep 17 00:00:00 2001
From: Slava Semushin <vsemushi@redhat.com>
Date: Wed, 29 Nov 2017 16:26:54 +0100
Subject: [PATCH] UPSTREAM: 56503: MustRunAsNonRoot should reject a pod if it
 has non-numeric USER

---
 .../pkg/kubelet/kuberuntime/kuberuntime_container.go  | 11 ++++-------
 .../pkg/kubelet/kuberuntime/security_context.go       | 11 +++++++----
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container.go b/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container.go
index 7be99adcd2fb..5d168507b9ef 100644
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/kuberuntime_container.go
@@ -174,13 +174,10 @@ func (m *kubeGenericRuntimeManager) generateContainerConfig(container *v1.Contai
 	if err != nil {
 		return nil, err
 	}
-	if uid != nil {
-		// Verify RunAsNonRoot. Non-root verification only supports numeric user.
-		if err := verifyRunAsNonRoot(pod, container, *uid); err != nil {
-			return nil, err
-		}
-	} else if username != "" {
-		glog.Warningf("Non-root verification doesn't support non-numeric user (%s)", username)
+
+	// Verify RunAsNonRoot. Non-root verification only supports numeric user.
+	if err := verifyRunAsNonRoot(pod, container, uid, username); err != nil {
+		return nil, err
 	}
 
 	command, args := kubecontainer.ExpandContainerCommandAndArgs(container, opts.Envs)
diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go b/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go
index 0cc784fc3aa8..1825ed8d4338 100644
--- a/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go
+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/kuberuntime/security_context.go
@@ -64,7 +64,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
 }
 
 // verifyRunAsNonRoot verifies RunAsNonRoot.
-func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
+func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid *int64, username string) error {
 	effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
 	if effectiveSc == nil || effectiveSc.RunAsNonRoot == nil {
 		return nil
@@ -77,11 +77,14 @@ func verifyRunAsNonRoot(pod *v1.Pod, container *v1.Container, uid int64) error {
 		return nil
 	}
 
-	if uid == 0 {
+	switch {
+	case uid != nil && *uid == 0:
 		return fmt.Errorf("container has runAsNonRoot and image will run as root")
+	case uid == nil && len(username) > 0:
+		return fmt.Errorf("container has runAsNonRoot and image has non-numeric user (%s), cannot verify user is non-root", username)
+	default:
+		return nil
 	}
-
-	return nil
 }
 
 // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.