Merge pull request #812 from Random-Liu/cherrypick-#808

Random-Liu · web-flow · commit 4cf084d1b832 · 2018-06-11T13:26:40.000-07:00
Erase ambient capabilities.
diff --git a/pkg/server/container_create.go b/pkg/server/container_create.go
@@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP
 				securityContext.GetCapabilities())
 		}
 	}
+	// Clear all ambient capabilities. The implication of non-root + caps
+	// is not clearly defined in Kubernetes.
+	// See https://github.com/kubernetes/kubernetes/issues/56374
+	// Keep docker's behavior for now.
+	g.Spec().Process.Capabilities.Ambient = []string{}
 
 	g.SetProcessSelinuxLabel(processLabel)
 	g.SetLinuxMountLabel(mountLabel)
diff --git a/pkg/server/container_create_test.go b/pkg/server/container_create_test.go
@@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {
 			assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)
 			assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)
 		}
+		assert.Empty(t, spec.Process.Capabilities.Ambient)
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -372,6 +372,11 @@ func (c *criService) generateContainerSpec(id string, sandboxID string, sandboxP`
`372`	`372`	`securityContext.GetCapabilities())`
`373`	`373`	`}`
`374`	`374`	`}`
	`375`	`+ // Clear all ambient capabilities. The implication of non-root + caps`
	`376`	`+ // is not clearly defined in Kubernetes.`
	`377`	`+ // See https://github.com/kubernetes/kubernetes/issues/56374`
	`378`	`+ // Keep docker's behavior for now.`
	`379`	`+ g.Spec().Process.Capabilities.Ambient = []string{}`
`375`	`380`
`376`	`381`	`g.SetProcessSelinuxLabel(processLabel)`
`377`	`382`	`g.SetLinuxMountLabel(mountLabel)`
Original file line number	Diff line number	Diff line change
`@@ -261,6 +261,7 @@ func TestContainerCapabilities(t *testing.T) {`
`261`	`261`	`assert.NotContains(t, spec.Process.Capabilities.Inheritable, exclude)`
`262`	`262`	`assert.NotContains(t, spec.Process.Capabilities.Permitted, exclude)`
`263`	`263`	`}`
	`264`	`+ assert.Empty(t, spec.Process.Capabilities.Ambient)`
`264`	`265`	`}`
`265`	`266`	`}`
`266`	`267`