Merge pull request #19871 from giuseppe/accept-empty-capabilities

security: accept empty capabilities list
2025-12-09 23:27:09 +08:00 · 2023-09-06 17:16:52 +02:00
parent 2806378c1a 30abd7f1af
commit af17ddaeed
2 changed files with 20 additions and 1 deletions
--- a/test/e2e/run_security_labels_test.go
+++ b/test/e2e/run_security_labels_test.go
@@ -11,6 +11,23 @@ import (

 var _ = Describe("Podman generate kube", func() {

+	It("podman empty security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1).Should(Exit(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		Expect(ctr[0].EffectiveCaps).To(BeNil())
+
+		test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
+		test2.WaitWithDefaultTimeout()
+		Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
+	})
+
 	It("podman security labels", func() {
 		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
 		test1.WaitWithDefaultTimeout()