Merge pull request #580 from gitlawr/supportCap_add_drop

Add Support for cap_add & cap_drop
2017-04-28 09:31:10 -04:00 · 2017-04-28 09:31:10 -04:00 · 0acfc20f72
commit 0acfc20f72
parent 0d3a7084c2 3916eb9f60
5 changed files with 48 additions and 7 deletions
--- a/docs/conversion.md
+++ b/docs/conversion.md
@ -6,7 +6,7 @@ This document outlines all the conversion details regarding `docker-compose.yaml
 |-------------------|---------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
 | __SERVICE__ |  |  |  |  |
 | build |  | Y | OpenShift: [BuildConfig](https://docs.openshift.com/enterprise/3.1/dev_guide/builds.html#defining-a-buildconfig) | Converts, but local builds are not yet supported. See issue [97](https://github.com/kubernetes-incubator/kompose/issues/97) |
-| cap_add, cap_drop |  | N |  |  |
+| cap_add, cap_drop |  | Y | [Pod.Spec.Container.SecurityContext.Capabilities.Add/Drop](https://kubernetes.io/docs/api-reference/v1.6/#capabilities-v1-core) |  |
 | command |  | Y | [Pod.Spec.Container.Command](https://kubernetes.io/docs/api-reference/v1/definitions/#_v1_container) |  |
 | cgroup_parent |  | N |  | No compatibility with Kubernetes / OpenShift. Limited use-cases with Docker. |
 | container_name |  | Y | Mapped to both [Metadata.Name](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/identifiers.md) and [Deployment.Spec.Containers.Name](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/identifiers.md) |  |
--- a/pkg/loader/compose/compose.go
+++ b/pkg/loader/compose/compose.go
@ -51,8 +51,6 @@ func checkUnsupportedKey(composeProject *project.Project) []string {
 	// to make sure that unsupported key is not going to be reported twice
 	// by keeping record if already saw this key in another service
 	var unsupportedKey = map[string]bool{
-		"CapAdd":        false,
-		"CapDrop":       false,
 		"CgroupParent":  false,
 		"CPUSet":        false,
 		"CPUShares":     false,
--- a/pkg/transformer/kubernetes/k8sutils.go
+++ b/pkg/transformer/kubernetes/k8sutils.go
@ -361,6 +361,9 @@ func (k *Kubernetes) UpdateKubernetesObjects(name string, service kobject.Servic
 	// Configure the container ports.
 	ports := k.ConfigPorts(name, service)

+	// Configure capabilities
+	capabilities := k.ConfigCapabilities(service)
+
 	// Configure annotations
 	annotations := transformer.ConfigAnnotations(service)

@ -401,6 +404,11 @@ func (k *Kubernetes) UpdateKubernetesObjects(name string, service kobject.Servic

 		}

+		//set capabilities if it is not empty
+		if len(capabilities.Add) > 0 || len(capabilities.Drop) > 0 {
+			securityContext.Capabilities = capabilities
+		}
+
 		// update template only if securityContext is not empty
 		if *securityContext != (api.SecurityContext{}) {
 			template.Spec.Containers[0].SecurityContext = securityContext
--- a/pkg/transformer/kubernetes/kubernetes.go
+++ b/pkg/transformer/kubernetes/kubernetes.go
@ -331,6 +331,22 @@ func (k *Kubernetes) ConfigServicePorts(name string, service kobject.ServiceConf
 	return servicePorts
 }

+//ConfigCapabilities configure POSIX capabilities that can be added or removed to a container
+func (k *Kubernetes) ConfigCapabilities(service kobject.ServiceConfig) *api.Capabilities {
+	capsAdd := []api.Capability{}
+	capsDrop := []api.Capability{}
+	for _, capAdd := range service.CapAdd {
+		capsAdd = append(capsAdd, api.Capability(capAdd))
+	}
+	for _, capDrop := range service.CapDrop {
+		capsDrop = append(capsDrop, api.Capability(capDrop))
+	}
+	return &api.Capabilities{
+		Add:  capsAdd,
+		Drop: capsDrop,
+	}
+}
+
 // ConfigTmpfs configure the tmpfs.
 func (k *Kubernetes) ConfigTmpfs(name string, service kobject.ServiceConfig) ([]api.VolumeMount, []api.Volume) {
 	//initializing volumemounts and volumes
--- a/pkg/transformer/kubernetes/kubernetes_test.go
+++ b/pkg/transformer/kubernetes/kubernetes_test.go
@ -45,10 +45,10 @@ func newServiceConfig() kobject.ServiceConfig {
 		Network:       []string{"network1", "network2"}, // not supported
 		Labels:        nil,
 		Annotations:   map[string]string{"abc": "def"},
-		CPUQuota:      1,                    // not supported
-		CapAdd:        []string{"cap_add"},  // not supported
-		CapDrop:       []string{"cap_drop"}, // not supported
-		Expose:        []string{"expose"},   // not supported
+		CPUQuota:      1, // not supported
+		CapAdd:        []string{"cap_add"},
+		CapDrop:       []string{"cap_drop"},
+		Expose:        []string{"expose"}, // not supported
 		Privileged:    true,
 		Restart:       "always",
 		Stdin:         true,
@ -509,3 +509,22 @@ func TestConfigTmpfs(t *testing.T) {
 	}

 }
+
+func TestConfigCapabilities(t *testing.T) {
+	testCases := map[string]struct {
+		service kobject.ServiceConfig
+		result  api.Capabilities
+	}{
+		"ConfigCapsWithAddDrop": {kobject.ServiceConfig{CapAdd: []string{"CHOWN", "SETUID"}, CapDrop: []string{"KILL"}}, api.Capabilities{Add: []api.Capability{api.Capability("CHOWN"), api.Capability("SETUID")}, Drop: []api.Capability{api.Capability("KILL")}}},
+		"ConfigCapsNoAddDrop":   {kobject.ServiceConfig{CapAdd: nil, CapDrop: nil}, api.Capabilities{Add: []api.Capability{}, Drop: []api.Capability{}}},
+	}
+
+	k := Kubernetes{}
+	for name, test := range testCases {
+		t.Log("Test case:", name)
+		result := k.ConfigCapabilities(test.service)
+		if !reflect.DeepEqual(result.Add, test.result.Add) || !reflect.DeepEqual(result.Drop, test.result.Drop) {
+			t.Errorf("Not expected result for ConfigCapabilities")
+		}
+	}
+}