Merge pull request #9283 from vrothberg/fix-8897

generate kube: do not set caps with --privileged
2025-07-29 11:22:38 +08:00 · 2021-02-09 14:23:15 -05:00
parent 763d522983 48c612cf66
commit 995a60481a
2 changed files with 48 additions and 7 deletions
--- a/libpod/kube.go
+++ b/libpod/kube.go
@ -322,7 +322,8 @@ func containerToV1Container(c *Container) (v1.Container, []v1.Volume, *v1.PodDNS
 		return kubeContainer, kubeVolumes, nil, err
 	}
-	if len(c.config.Spec.Linux.Devices) > 0 {
+	// NOTE: a privileged container mounts all of /dev/*.
 	if !c.Privileged() && len(c.config.Spec.Linux.Devices) > 0 {
 		// TODO Enable when we can support devices and their names
 		kubeContainer.VolumeDevices = generateKubeVolumeDeviceFromLinuxDevice(c.Spec().Linux.Devices)
 		return kubeContainer, kubeVolumes, nil, errors.Wrapf(define.ErrNotImplemented, "linux devices")
@ -625,14 +626,19 @@ func capAddDrop(caps *specs.LinuxCapabilities) (*v1.Capabilities, error) {
 // generateKubeSecurityContext generates a securityContext based on the existing container
 func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
-	priv := c.Privileged()
+	privileged := c.Privileged()
 	ro := c.IsReadOnly()
 	allowPrivEscalation := !c.config.Spec.Process.NoNewPrivileges
 	var capabilities *v1.Capabilities
 	if !privileged {
 		// Running privileged adds all caps.
 		newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities)
 		if err != nil {
 			return nil, err
 		}
 		capabilities = newCaps
 	}
 	var selinuxOpts v1.SELinuxOptions
 	opts := strings.SplitN(c.config.Spec.Annotations[define.InspectAnnotationLabel], ":", 2)
@ -651,8 +657,8 @@ func generateKubeSecurityContext(c *Container) (*v1.SecurityContext, error) {
 	}
 	sc := v1.SecurityContext{
-		Capabilities:   newCaps,
+		Capabilities:   capabilities,
-		Privileged:     &priv,
+		Privileged:     &privileged,
 		SELinuxOptions: &selinuxOpts,
 		// RunAsNonRoot is an optional parameter; our first implementations should be root only; however
 		// I'm leaving this as a bread-crumb for later
--- a/test/e2e/generate_kube_test.go
+++ b/test/e2e/generate_kube_test.go
@ -699,4 +699,39 @@ ENTRYPOINT /bin/sleep`
 		Expect(containers[0].Command).To(Equal([]string{"/bin/sh", "-c", "/bin/sleep"}))
 		Expect(containers[0].Args).To(Equal([]string{"10s"}))
 	})
 	It("podman generate kube - --privileged container", func() {
 		session := podmanTest.Podman([]string{"create", "--pod", "new:testpod", "--privileged", ALPINE, "ls"})
 		session.WaitWithDefaultTimeout()
 		Expect(session.ExitCode()).To(Equal(0))
 		kube := podmanTest.Podman([]string{"generate", "kube", "testpod"})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))
 		// Now make sure that the capabilities aren't set.
 		pod := new(v1.Pod)
 		err := yaml.Unmarshal(kube.Out.Contents(), pod)
 		Expect(err).To(BeNil())
 		containers := pod.Spec.Containers
 		Expect(len(containers)).To(Equal(1))
 		Expect(containers[0].SecurityContext.Capabilities).To(BeNil())
 		// Now make sure we can also `play` it.
 		kubeFile := filepath.Join(podmanTest.TempDir, "kube.yaml")
 		kube = podmanTest.Podman([]string{"generate", "kube", "testpod", "-f", kubeFile})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))
 		// Remove the pod so play can recreate it.
 		kube = podmanTest.Podman([]string{"pod", "rm", "-f", "testpod"})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))
 		kube = podmanTest.Podman([]string{"play", "kube", kubeFile})
 		kube.WaitWithDefaultTimeout()
 		Expect(kube.ExitCode()).To(Equal(0))
 	})
 })