aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libpod/kube.go12
-rw-r--r--pkg/adapter/pods.go9
-rw-r--r--test/e2e/play_kube_test.go75
3 files changed, 86 insertions, 10 deletions
diff --git a/libpod/kube.go b/libpod/kube.go
index 084a3df4f..d0e7baf95 100644
--- a/libpod/kube.go
+++ b/libpod/kube.go
@@ -406,18 +406,26 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v
drop []v1.Capability
add []v1.Capability
)
+ dedupDrop := make(map[string]bool)
+ dedupAdd := make(map[string]bool)
// Find caps in the defaultCaps but not in the container's
// those indicate a dropped cap
for _, capability := range defaultCaps {
if !util.StringInSlice(capability, containerCaps) {
- drop = append(drop, v1.Capability(capability))
+ if _, ok := dedupDrop[capability]; !ok {
+ drop = append(drop, v1.Capability(capability))
+ dedupDrop[capability] = true
+ }
}
}
// Find caps in the container but not in the defaults; those indicate
// an added cap
for _, capability := range containerCaps {
if !util.StringInSlice(capability, defaultCaps) {
- add = append(add, v1.Capability(capability))
+ if _, ok := dedupAdd[capability]; !ok {
+ add = append(add, v1.Capability(capability))
+ dedupAdd[capability] = true
+ }
}
}
diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go
index 2a52cfd0c..e25238956 100644
--- a/pkg/adapter/pods.go
+++ b/pkg/adapter/pods.go
@@ -683,6 +683,15 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
}
+
+ }
+ if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+ for _, capability := range caps.Add {
+ containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
+ }
+ for _, capability := range caps.Drop {
+ containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
+ }
}
containerConfig.Command = []string{}
diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go
index a6f59a3da..331412a39 100644
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@@ -25,7 +25,9 @@ spec:
{{ with .Containers }}
{{ range . }}
- command:
- - {{ .Cmd }}
+ {{ range .Cmd }}
+ - {{.}}
+ {{ end }}
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
@@ -39,7 +41,21 @@ spec:
resources: {}
securityContext:
allowPrivilegeEscalation: true
- capabilities: {}
+ {{ if .Caps }}
+ capabilities:
+ {{ with .CapAdd }}
+ add:
+ {{ range . }}
+ - {{.}}
+ {{ end }}
+ {{ end }}
+ {{ with .CapDrop }}
+ drop:
+ {{ range . }}
+ - {{.}}
+ {{ end }}
+ {{ end }}
+ {{ end }}
privileged: false
readOnlyRootFilesystem: false
workingDir: /
@@ -54,9 +70,12 @@ type Pod struct {
}
type Container struct {
- Cmd string
- Image string
- Name string
+ Cmd []string
+ Image string
+ Name string
+ Caps bool
+ CapAdd []string
+ CapDrop []string
}
func generateKubeYaml(ctrs []Container, fileName string) error {
@@ -104,8 +123,8 @@ var _ = Describe("Podman generate kube", func() {
It("podman play kube test correct command", func() {
ctrName := "testCtr"
- ctrCmd := "top"
- testContainer := Container{ctrCmd, ALPINE, ctrName}
+ ctrCmd := []string{"top"}
+ testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
err := generateKubeYaml([]Container{testContainer}, tempFile)
@@ -118,6 +137,46 @@ var _ = Describe("Podman generate kube", func() {
inspect := podmanTest.Podman([]string{"inspect", ctrName})
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
- Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd))
+ Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd[0]))
+ })
+
+ It("podman play kube cap add", func() {
+ ctrName := "testCtr"
+ ctrCmd := []string{"cat", "/proc/self/status"}
+ capAdd := "CAP_SYS_ADMIN"
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil}
+ tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+ err := generateKubeYaml([]Container{testContainer}, tempFile)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ Expect(inspect.OutputToString()).To(ContainSubstring(capAdd))
+ })
+
+ It("podman play kube cap add", func() {
+ ctrName := "testCtr"
+ ctrCmd := []string{"cat", "/proc/self/status"}
+ capDrop := "CAP_SYS_ADMIN"
+ testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil}
+ tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+ err := generateKubeYaml([]Container{testContainer}, tempFile)
+ Expect(err).To(BeNil())
+
+ kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+ kube.WaitWithDefaultTimeout()
+ Expect(kube.ExitCode()).To(Equal(0))
+
+ inspect := podmanTest.Podman([]string{"inspect", ctrName})
+ inspect.WaitWithDefaultTimeout()
+ Expect(inspect.ExitCode()).To(Equal(0))
+ Expect(inspect.OutputToString()).To(ContainSubstring(capDrop))
})
})