Only drop capabilities that are not added

It appears that containerd (or k8s 1.24?) have changed the behavior around adding/dropping linux capabilities and added caps no longer take precedence over dropped ones
Yelp · Sep 25, 2024 · d659eae · d659eae
1 parent 18cd8f9
commit d659eae
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/paasta_tools/kubernetes_tools.py b/paasta_tools/kubernetes_tools.py
@@ -1396,7 +1396,16 @@ def get_security_context(self) -> Optional[V1SecurityContext]:
             return V1SecurityContext(capabilities=V1Capabilities(drop=CAPS_DROP))
         else:
             return V1SecurityContext(
-                capabilities=V1Capabilities(add=cap_add, drop=CAPS_DROP)
+                # XXX: we should probably generally work in sets, but V1Capabilities is typed as accepting
+                # lists of string only
+                capabilities=V1Capabilities(
+                    add=cap_add,
+                    # NOTE: this is necessary as containerd differs in behavior from dockershim: in dockershim
+                    # dropped capabilities were overriden if the same capability was added - but in containerd
+                    # the dropped capabilities appear to have higher priority.
+                    # (or maybe this is a k8s behavior change?)
+                    drop=list(set(CAPS_DROP) - set(cap_add)),
+                )
             )
 
     def get_kubernetes_containers(