Erase ambient capabilities.

Signed-off-by: Lantao Liu <lantaol@google.com>
2018-06-08 11:53:10 -07:00 · 2018-06-08 11:53:10 -07:00 · b367f30097
commit b367f30097
parent de84f9c0cd
2 changed files with 6 additions and 0 deletions
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 				securityContext.GetCapabilities())
 		}
 	}
+	// Clear all ambient capabilities. The implication of non-root + caps
+	// is not clearly defined in Kubernetes.
+	// See https://github.com/kubernetes/kubernetes/issues/56374
+	// Keep docker's behavior for now.
+	g.Spec().Process.Capabilities.Ambient = []string{}

 	g.SetProcessSelinuxLabel(processLabel)
 	g.SetLinuxMountLabel(mountLabel)
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {
 			assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
 		}
+		assert.Empty(t, spec.Process.Capabilities.Ambient)
 	}
 }