generate kube: do not set caps with --privileged #9283
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vrothberg The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
LGTM |
|
Alright, hitting the same error as reported. Will have another look. |
| newCaps, err := capAddDrop(c.config.Spec.Process.Capabilities) | ||
| if err != nil { | ||
| return nil, err | ||
| var capabilities *v1.Capabilities |
There was a problem hiding this comment.
Shouldn't this be initialized? (I'm not a Gohead; I may be missing something obvious)
There was a problem hiding this comment.
That's no required here. Setting the container to privileged implies that all caps get set later on:
$ podman (fix-8897) $ podman top 5e5eb6e0fb43 capeff
EFFECTIVE CAPS
full
|
Tests red. Otherwise LGTM |
Do not play with capabilities for privileged containers where all capabilities will be set implicitly. Also, avoid the device check when running privileged since all of /dev/* will be mounted in any case. Fixes: containers#8897 Signed-off-by: Valentin Rothberg <[email protected]>
|
This is looking good now 👍 |
|
/lgtm |
openshift-ci-robot
added
the
do-not-merge/hold
|
LGTM |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
github-actions
bot
added
the
locked - please file new issue/PR
Do not play with capabilities for privileged containers where all
capabilities will be set implicitly.
While the initital error report from #8897 is not reproducible,
privilged containers could not be executed due the bug at hand.
Fixes: #8897
Signed-off-by: Valentin Rothberg [email protected]