github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Merge pull request #808 from Random-Liu/erase-ambient-caps

Browse Source 
Erase ambient capabilities.
This commit is contained in:
Lantao Liu 2018-06-08 20:06:34 -07:00 committed by GitHub
commit 5a1105c614
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/server/container_create.go
View File

@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
securityContext.GetCapabilities()) securityContext.GetCapabilities())
} }
} }
// Clear all ambient capabilities. The implication of non-root + caps
// is not clearly defined in Kubernetes.
// See https://github.com/kubernetes/kubernetes/issues/56374
// Keep docker's behavior for now.
g.Spec().Process.Capabilities.Ambient = []string{}
g.SetProcessSelinuxLabel(processLabel) g.SetProcessSelinuxLabel(processLabel)
g.SetLinuxMountLabel(mountLabel) g.SetLinuxMountLabel(mountLabel)

1
pkg/server/container_create_test.go
View File

@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {
assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude) assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude) assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
} }
assert.Empty(t, spec.Process.Capabilities.Ambient)
} }
} }