Skip to content

Commit

Permalink
Merge pull request #3692 from haircommander/play-caps
Browse files Browse the repository at this point in the history
Add Capability support to play kube
  • Loading branch information
openshift-merge-robot authored Aug 2, 2019
2 parents 2cc5913 + 834107c commit 5370c53
Show file tree
Hide file tree
Showing 3 changed files with 86 additions and 10 deletions.
12 changes: 10 additions & 2 deletions libpod/kube.go
Original file line number Diff line number Diff line change
Expand Up @@ -406,18 +406,26 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v
drop []v1.Capability
add []v1.Capability
)
dedupDrop := make(map[string]bool)
dedupAdd := make(map[string]bool)
// Find caps in the defaultCaps but not in the container's
// those indicate a dropped cap
for _, capability := range defaultCaps {
if !util.StringInSlice(capability, containerCaps) {
drop = append(drop, v1.Capability(capability))
if _, ok := dedupDrop[capability]; !ok {
drop = append(drop, v1.Capability(capability))
dedupDrop[capability] = true
}
}
}
// Find caps in the container but not in the defaults; those indicate
// an added cap
for _, capability := range containerCaps {
if !util.StringInSlice(capability, defaultCaps) {
add = append(add, v1.Capability(capability))
if _, ok := dedupAdd[capability]; !ok {
add = append(add, v1.Capability(capability))
dedupAdd[capability] = true
}
}
}

Expand Down
9 changes: 9 additions & 0 deletions pkg/adapter/pods.go
Original file line number Diff line number Diff line change
Expand Up @@ -683,6 +683,15 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
}

}
if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
for _, capability := range caps.Add {
containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
}
for _, capability := range caps.Drop {
containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
}
}

containerConfig.Command = []string{}
Expand Down
75 changes: 67 additions & 8 deletions test/e2e/play_kube_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@ spec:
{{ with .Containers }}
{{ range . }}
- command:
- {{ .Cmd }}
{{ range .Cmd }}
- {{.}}
{{ end }}
env:
- name: PATH
value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Expand All @@ -39,7 +41,21 @@ spec:
resources: {}
securityContext:
allowPrivilegeEscalation: true
capabilities: {}
{{ if .Caps }}
capabilities:
{{ with .CapAdd }}
add:
{{ range . }}
- {{.}}
{{ end }}
{{ end }}
{{ with .CapDrop }}
drop:
{{ range . }}
- {{.}}
{{ end }}
{{ end }}
{{ end }}
privileged: false
readOnlyRootFilesystem: false
workingDir: /
Expand All @@ -54,9 +70,12 @@ type Pod struct {
}

type Container struct {
Cmd string
Image string
Name string
Cmd []string
Image string
Name string
Caps bool
CapAdd []string
CapDrop []string
}

func generateKubeYaml(ctrs []Container, fileName string) error {
Expand Down Expand Up @@ -104,8 +123,8 @@ var _ = Describe("Podman generate kube", func() {

It("podman play kube test correct command", func() {
ctrName := "testCtr"
ctrCmd := "top"
testContainer := Container{ctrCmd, ALPINE, ctrName}
ctrCmd := []string{"top"}
testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")

err := generateKubeYaml([]Container{testContainer}, tempFile)
Expand All @@ -118,6 +137,46 @@ var _ = Describe("Podman generate kube", func() {
inspect := podmanTest.Podman([]string{"inspect", ctrName})
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd))
Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd[0]))
})

It("podman play kube cap add", func() {
ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"}
capAdd := "CAP_SYS_ADMIN"
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")

err := generateKubeYaml([]Container{testContainer}, tempFile)
Expect(err).To(BeNil())

kube := podmanTest.Podman([]string{"play", "kube", tempFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

inspect := podmanTest.Podman([]string{"inspect", ctrName})
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(capAdd))
})

It("podman play kube cap add", func() {
ctrName := "testCtr"
ctrCmd := []string{"cat", "/proc/self/status"}
capDrop := "CAP_SYS_ADMIN"
testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil}
tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")

err := generateKubeYaml([]Container{testContainer}, tempFile)
Expect(err).To(BeNil())

kube := podmanTest.Podman([]string{"play", "kube", tempFile})
kube.WaitWithDefaultTimeout()
Expect(kube.ExitCode()).To(Equal(0))

inspect := podmanTest.Podman([]string{"inspect", ctrName})
inspect.WaitWithDefaultTimeout()
Expect(inspect.ExitCode()).To(Equal(0))
Expect(inspect.OutputToString()).To(ContainSubstring(capDrop))
})
})

0 comments on commit 5370c53

Please sign in to comment.