From d659eaeb4abddc45e6dea4a4b1d6019a4ecf2c3b Mon Sep 17 00:00:00 2001 From: Luis Perez Date: Wed, 25 Sep 2024 09:23:58 -0700 Subject: [PATCH] Only drop capabilities that are not added It appears that containerd (or k8s 1.24?) have changed the behavior around adding/dropping linux capabilities and added caps no longer take precedence over dropped ones --- paasta_tools/kubernetes_tools.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/paasta_tools/kubernetes_tools.py b/paasta_tools/kubernetes_tools.py index 1cb8b743b5..b1627a410c 100644 --- a/paasta_tools/kubernetes_tools.py +++ b/paasta_tools/kubernetes_tools.py @@ -1396,7 +1396,16 @@ def get_security_context(self) -> Optional[V1SecurityContext]: return V1SecurityContext(capabilities=V1Capabilities(drop=CAPS_DROP)) else: return V1SecurityContext( - capabilities=V1Capabilities(add=cap_add, drop=CAPS_DROP) + # XXX: we should probably generally work in sets, but V1Capabilities is typed as accepting + # lists of string only + capabilities=V1Capabilities( + add=cap_add, + # NOTE: this is necessary as containerd differs in behavior from dockershim: in dockershim + # dropped capabilities were overriden if the same capability was added - but in containerd + # the dropped capabilities appear to have higher priority. + # (or maybe this is a k8s behavior change?) + drop=list(set(CAPS_DROP) - set(cap_add)), + ) ) def get_kubernetes_containers(