From b367f3009761fbbd8691c3fe587f3f494704d9a8 Mon Sep 17 00:00:00 2001
From: Lantao Liu <lantaol@google.com>
Date: Fri, 8 Jun 2018 11:53:10 -0700
Subject: [PATCH] Erase ambient capabilities.

Signed-off-by: Lantao Liu <lantaol@google.com>
---
 pkg/server/container_create.go      | 5 +++++
 pkg/server/container_create_test.go | 1 +
 2 files changed, 6 insertions(+)

diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
index 6b1c5626e..7f36eb1bf 100644
--- a/pkg/server/container_create.go
+++ b/pkg/server/container_create.go
@@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 				securityContext.GetCapabilities())
 		}
 	}
+	// Clear all ambient capabilities. The implication of non-root + caps
+	// is not clearly defined in Kubernetes.
+	// See https://github.com/kubernetes/kubernetes/issues/56374
+	// Keep docker's behavior for now.
+	g.Spec().Process.Capabilities.Ambient = []string{}
 
 	g.SetProcessSelinuxLabel(processLabel)
 	g.SetLinuxMountLabel(mountLabel)
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
index d7bde6daa..474f17c24 100644
--- a/pkg/server/container_create_test.go
+++ b/pkg/server/container_create_test.go
@@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {
 			assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
 		}
+		assert.Empty(t, spec.Process.Capabilities.Ambient)
 	}
 }