Add support for --cap-drop

- closes GoogleContainerTools#389
ddl-ebrown · Oct 24, 2023 · 7af0286 · 7af0286
1 parent 0db4700
commit 7af0286
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 16 deletions.
diff --git a/README.md b/README.md
@@ -303,6 +303,8 @@ containerRunOptions:
     - OTHER_SECRET_BAR
   capabilities:                 # Add list of Linux capabilities (--cap-add)
     - NET_BIND_SERVICE
+  drop_capabilities:            # Drop list of Linux capabilities (--cap-drop)
+    - NET_BIND_SERVICE
   bindMounts:                   # Bind mount a volume (--volume, -v)
     - /etc/example/dir:/etc/dir
 ```

diff --git a/pkg/drivers/docker_driver.go b/pkg/drivers/docker_driver.go
@@ -19,13 +19,14 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
-	"github.com/joho/godotenv"
 	"io"
 	"os"
 	"path"
 	"path/filepath"
 	"strings"
 
+	"github.com/joho/godotenv"
+
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 
@@ -66,17 +67,19 @@ func NewDockerDriver(args DriverConfig) (Driver, error) {
 func (d *DockerDriver) hostConfig() *docker.HostConfig {
 	if d.runOpts.IsSet() && d.runtime != "" {
 		return &docker.HostConfig{
-			Capabilities: d.runOpts.Capabilities,
-			Binds:        d.runOpts.BindMounts,
-			Privileged:   d.runOpts.Privileged,
-			Runtime:      d.runtime,
+			CapAdd:     d.runOpts.CapAdd,
+			CapDrop:    d.runOpts.CapDrop,
+			Binds:      d.runOpts.BindMounts,
+			Privileged: d.runOpts.Privileged,
+			Runtime:    d.runtime,
 		}
 	}
 	if d.runOpts.IsSet() {
 		return &docker.HostConfig{
-			Capabilities: d.runOpts.Capabilities,
-			Binds:        d.runOpts.BindMounts,
-			Privileged:   d.runOpts.Privileged,
+			CapAdd:     d.runOpts.CapAdd,
+			CapDrop:    d.runOpts.CapDrop,
+			Binds:      d.runOpts.BindMounts,
+			Privileged: d.runOpts.Privileged,
 		}
 	}
 	if d.runtime != "" {

diff --git a/pkg/types/unversioned/types.go b/pkg/types/unversioned/types.go
@@ -45,13 +45,14 @@ type Config struct {
 }
 
 type ContainerRunOptions struct {
-	User         string
-	Privileged   bool
-	TTY          bool     `yaml:"allocateTty"`
-	EnvVars      []string `yaml:"envVars"`
-	EnvFile      string   `yaml:"envFile"`
-	Capabilities []string
-	BindMounts   []string `yaml:"bindMounts"`
+	User       string
+	Privileged bool
+	TTY        bool     `yaml:"allocateTty"`
+	EnvVars    []string `yaml:"envVars"`
+	EnvFile    string   `yaml:"envFile"`
+	CapAdd     []string `yaml:"capabilities"`
+	CapDrop    []string `yaml:"drop_capabilities"`
+	BindMounts []string `yaml:"bindMounts"`
 }
 
 func (opts *ContainerRunOptions) IsSet() bool {
@@ -60,7 +61,8 @@ func (opts *ContainerRunOptions) IsSet() bool {
 		opts.TTY ||
 		len(opts.EnvFile) > 0 ||
 		(opts.EnvVars != nil && len(opts.EnvVars) > 0) ||
-		(opts.Capabilities != nil && len(opts.Capabilities) > 0) ||
+		(opts.CapAdd != nil && len(opts.CapAdd) > 0) ||
+		(opts.CapDrop != nil && len(opts.CapDrop) > 0) ||
 		(opts.BindMounts != nil && len(opts.BindMounts) > 0)
 }