From 3acfcb30628ed937200a144817f52ee52cfc2e40 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 1 Aug 2019 14:12:32 -0400 Subject: [PATCH 1/2] Deduplicate capabilities in generate kube capabilities that were added and dropped were several times duplicated. Fix this Signed-off-by: Peter Hunt --- libpod/kube.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/libpod/kube.go b/libpod/kube.go index 084a3df4fd..d46a82856f 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -406,18 +406,26 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v drop []v1.Capability add []v1.Capability ) + dedupDrop := make(map[string]bool) + dedupAdd := make(map[string]bool) // Find caps in the defaultCaps but not in the container's // those indicate a dropped cap for _, capability := range defaultCaps { if !util.StringInSlice(capability, containerCaps) { - drop = append(drop, v1.Capability(capability)) + if _, ok := dedupDrop[capability]; !ok { + drop = append(drop, v1.Capability(capability)) + dedupDrop[capability] = true + } } } // Find caps in the container but not in the defaults; those indicate // an added cap for _, capability := range containerCaps { if !util.StringInSlice(capability, defaultCaps) { - add = append(add, v1.Capability(capability)) + if _, ok := dedupAdd[string(capability)]; !ok { + add = append(add, v1.Capability(capability)) + dedupAdd[capability] = true + } } } From 834107c82ea50c3299d23c07c04f81b6974202f9 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 1 Aug 2019 15:31:15 -0400 Subject: [PATCH 2/2] Add capability functionality to play kube Take capabilities written in a kube and add to a container adapt test suite and write cap-add/drop tests Signed-off-by: Peter Hunt --- libpod/kube.go | 2 +- pkg/adapter/pods.go | 9 +++++ test/e2e/play_kube_test.go | 75 ++++++++++++++++++++++++++++++++++---- 3 files changed, 77 insertions(+), 9 deletions(-) diff --git a/libpod/kube.go b/libpod/kube.go index d46a82856f..d0e7baf956 100644 --- a/libpod/kube.go +++ b/libpod/kube.go @@ -422,7 +422,7 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v // an added cap for _, capability := range containerCaps { if !util.StringInSlice(capability, defaultCaps) { - if _, ok := dedupAdd[string(capability)]; !ok { + if _, ok := dedupAdd[capability]; !ok { add = append(add, v1.Capability(capability)) dedupAdd[capability] = true } diff --git a/pkg/adapter/pods.go b/pkg/adapter/pods.go index b9d7fcd9b9..c3a9ab8d8a 100644 --- a/pkg/adapter/pods.go +++ b/pkg/adapter/pods.go @@ -682,6 +682,15 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation } + + } + if caps := containerYAML.SecurityContext.Capabilities; caps != nil { + for _, capability := range caps.Add { + containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability)) + } + for _, capability := range caps.Drop { + containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability)) + } } containerConfig.Command = []string{} diff --git a/test/e2e/play_kube_test.go b/test/e2e/play_kube_test.go index a6f59a3dae..331412a391 100644 --- a/test/e2e/play_kube_test.go +++ b/test/e2e/play_kube_test.go @@ -25,7 +25,9 @@ spec: {{ with .Containers }} {{ range . }} - command: - - {{ .Cmd }} + {{ range .Cmd }} + - {{.}} + {{ end }} env: - name: PATH value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin @@ -39,7 +41,21 @@ spec: resources: {} securityContext: allowPrivilegeEscalation: true - capabilities: {} + {{ if .Caps }} + capabilities: + {{ with .CapAdd }} + add: + {{ range . }} + - {{.}} + {{ end }} + {{ end }} + {{ with .CapDrop }} + drop: + {{ range . }} + - {{.}} + {{ end }} + {{ end }} + {{ end }} privileged: false readOnlyRootFilesystem: false workingDir: / @@ -54,9 +70,12 @@ type Pod struct { } type Container struct { - Cmd string - Image string - Name string + Cmd []string + Image string + Name string + Caps bool + CapAdd []string + CapDrop []string } func generateKubeYaml(ctrs []Container, fileName string) error { @@ -104,8 +123,8 @@ var _ = Describe("Podman generate kube", func() { It("podman play kube test correct command", func() { ctrName := "testCtr" - ctrCmd := "top" - testContainer := Container{ctrCmd, ALPINE, ctrName} + ctrCmd := []string{"top"} + testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil} tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") err := generateKubeYaml([]Container{testContainer}, tempFile) @@ -118,6 +137,46 @@ var _ = Describe("Podman generate kube", func() { inspect := podmanTest.Podman([]string{"inspect", ctrName}) inspect.WaitWithDefaultTimeout() Expect(inspect.ExitCode()).To(Equal(0)) - Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd)) + Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd[0])) + }) + + It("podman play kube cap add", func() { + ctrName := "testCtr" + ctrCmd := []string{"cat", "/proc/self/status"} + capAdd := "CAP_SYS_ADMIN" + testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil} + tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") + + err := generateKubeYaml([]Container{testContainer}, tempFile) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", tempFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", ctrName}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + Expect(inspect.OutputToString()).To(ContainSubstring(capAdd)) + }) + + It("podman play kube cap add", func() { + ctrName := "testCtr" + ctrCmd := []string{"cat", "/proc/self/status"} + capDrop := "CAP_SYS_ADMIN" + testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil} + tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml") + + err := generateKubeYaml([]Container{testContainer}, tempFile) + Expect(err).To(BeNil()) + + kube := podmanTest.Podman([]string{"play", "kube", tempFile}) + kube.WaitWithDefaultTimeout() + Expect(kube.ExitCode()).To(Equal(0)) + + inspect := podmanTest.Podman([]string{"inspect", ctrName}) + inspect.WaitWithDefaultTimeout() + Expect(inspect.ExitCode()).To(Equal(0)) + Expect(inspect.OutputToString()).To(ContainSubstring(capDrop)) }) })