github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Erase ambient capabilities.

Browse Source 
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu 2018-06-08 11:53:10 -07:00
parent de84f9c0cd
commit b367f30097
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/server/container_create.go
View File

@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
securityContext.GetCapabilities()) securityContext.GetCapabilities())
} }
} }
// Clear all ambient capabilities. The implication of non-root + caps
// is not clearly defined in Kubernetes.
// See https://github.com/kubernetes/kubernetes/issues/56374
// Keep docker's behavior for now.
g.Spec().Process.Capabilities.Ambient = []string{}
g.SetProcessSelinuxLabel(processLabel) g.SetProcessSelinuxLabel(processLabel)
g.SetLinuxMountLabel(mountLabel) g.SetLinuxMountLabel(mountLabel)

1
pkg/server/container_create_test.go
View File

@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {
assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude) assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude) assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
} }
assert.Empty(t, spec.Process.Capabilities.Ambient)
} }
} }