Fix pod sandbox privilege.

Signed-off-by: Lantao Liu <[email protected]>

pkg/kubelet/container/helpers.go

@@ -302,7 +302,7 @@ func GetContainerSpec(pod *v1.Pod, containerName string) *v1.Container {
 
 // HasPrivilegedContainer returns true if any of the containers in the pod are privileged.
 func HasPrivilegedContainer(pod *v1.Pod) bool {
-	for _, c := range pod.Spec.Containers {
+	for _, c := range append(pod.Spec.Containers, pod.Spec.InitContainers...) {
 		if c.SecurityContext != nil &&
 			c.SecurityContext.Privileged != nil &&
 			*c.SecurityContext.Privileged {

pkg/kubelet/container/helpers_test.go

@@ -254,6 +254,20 @@ func TestHasPrivilegedContainer(t *testing.T) {
 			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
 		}
 	}
+	// Test init containers as well.
+	for k, v := range tests {
+		pod := &v1.Pod{
+			Spec: v1.PodSpec{
+				InitContainers: []v1.Container{
+					{SecurityContext: v.securityContext},
+				},
+			},
+		}
+		actual := HasPrivilegedContainer(pod)
+		if actual != v.expected {
+			t.Errorf("%s expected %t but got %t", k, v.expected, actual)
+		}
+	}
 }
 
 func TestMakePortMappings(t *testing.T) {