Add Capability support to play kube

libpod/kube.go

@@ -406,18 +406,26 @@ func determineCapAddDropFromCapabilities(defaultCaps, containerCaps []string) *v
 		drop []v1.Capability
 		add  []v1.Capability
 	)
+	dedupDrop := make(map[string]bool)
+	dedupAdd := make(map[string]bool)
 	// Find caps in the defaultCaps but not in the container's
 	// those indicate a dropped cap
 	for _, capability := range defaultCaps {
 		if !util.StringInSlice(capability, containerCaps) {
-			drop = append(drop, v1.Capability(capability))
+			if _, ok := dedupDrop[capability]; !ok {
+				drop = append(drop, v1.Capability(capability))
+				dedupDrop[capability] = true
+			}
 		}
 	}
 	// Find caps in the container but not in the defaults; those indicate
 	// an added cap
 	for _, capability := range containerCaps {
 		if !util.StringInSlice(capability, defaultCaps) {
-			add = append(add, v1.Capability(capability))
+			if _, ok := dedupAdd[capability]; !ok {
+				add = append(add, v1.Capability(capability))
+				dedupAdd[capability] = true
+			}
 		}
 	}
 

pkg/adapter/pods.go

@@ -682,6 +682,15 @@ func kubeContainerToCreateConfig(ctx context.Context, containerYAML v1.Container
 		if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil {
 			containerConfig.NoNewPrivs = !*containerYAML.SecurityContext.AllowPrivilegeEscalation
 		}
+
+	}
+	if caps := containerYAML.SecurityContext.Capabilities; caps != nil {
+		for _, capability := range caps.Add {
+			containerConfig.CapAdd = append(containerConfig.CapAdd, string(capability))
+		}
+		for _, capability := range caps.Drop {
+			containerConfig.CapDrop = append(containerConfig.CapDrop, string(capability))
+		}
 	}
 
 	containerConfig.Command = []string{}

test/e2e/play_kube_test.go

@@ -25,7 +25,9 @@ spec:
 {{ with .Containers }}
   {{ range . }}
   - command:
-    - {{ .Cmd }}
+    {{ range .Cmd }}
+    - {{.}}
+    {{ end }}
     env:
     - name: PATH
       value: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
@@ -39,7 +41,21 @@ spec:
     resources: {}
     securityContext:
       allowPrivilegeEscalation: true
-      capabilities: {}
+      {{ if .Caps }}
+      capabilities:
+        {{ with .CapAdd }}
+        add:
+          {{ range . }}
+          - {{.}}
+          {{ end }}
+        {{ end }}
+        {{ with .CapDrop }}
+        drop:
+          {{ range . }}
+          - {{.}}
+          {{ end }}
+        {{ end }}
+      {{ end }}
       privileged: false
       readOnlyRootFilesystem: false
     workingDir: /
@@ -54,9 +70,12 @@ type Pod struct {
 }
 
 type Container struct {
-	Cmd   string
-	Image string
-	Name  string
+	Cmd     []string
+	Image   string
+	Name    string
+	Caps    bool
+	CapAdd  []string
+	CapDrop []string
 }
 
 func generateKubeYaml(ctrs []Container, fileName string) error {
@@ -104,8 +123,8 @@ var _ = Describe("Podman generate kube", func() {
 
 	It("podman play kube test correct command", func() {
 		ctrName := "testCtr"
-		ctrCmd := "top"
-		testContainer := Container{ctrCmd, ALPINE, ctrName}
+		ctrCmd := []string{"top"}
+		testContainer := Container{ctrCmd, ALPINE, ctrName, false, nil, nil}
 		tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
 
 		err := generateKubeYaml([]Container{testContainer}, tempFile)
@@ -118,6 +137,46 @@ var _ = Describe("Podman generate kube", func() {
 		inspect := podmanTest.Podman([]string{"inspect", ctrName})
 		inspect.WaitWithDefaultTimeout()
 		Expect(inspect.ExitCode()).To(Equal(0))
-		Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd))
+		Expect(inspect.OutputToString()).To(ContainSubstring(ctrCmd[0]))
+	})
+
+	It("podman play kube cap add", func() {
+		ctrName := "testCtr"
+		ctrCmd := []string{"cat", "/proc/self/status"}
+		capAdd := "CAP_SYS_ADMIN"
+		testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capAdd}, nil}
+		tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+		err := generateKubeYaml([]Container{testContainer}, tempFile)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube.ExitCode()).To(Equal(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", ctrName})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+		Expect(inspect.OutputToString()).To(ContainSubstring(capAdd))
+	})
+
+	It("podman play kube cap add", func() {
+		ctrName := "testCtr"
+		ctrCmd := []string{"cat", "/proc/self/status"}
+		capDrop := "CAP_SYS_ADMIN"
+		testContainer := Container{ctrCmd, ALPINE, ctrName, true, []string{capDrop}, nil}
+		tempFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
+
+		err := generateKubeYaml([]Container{testContainer}, tempFile)
+		Expect(err).To(BeNil())
+
+		kube := podmanTest.Podman([]string{"play", "kube", tempFile})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube.ExitCode()).To(Equal(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", ctrName})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect.ExitCode()).To(Equal(0))
+		Expect(inspect.OutputToString()).To(ContainSubstring(capDrop))
 	})
 })