From 1bdf740739eadf90b8bfc3e65e39153d783ad343 Mon Sep 17 00:00:00 2001
From: hwchiu <hwchiu@linkernetworks.com>
Date: Wed, 25 Jul 2018 09:57:04 +0000
Subject: [PATCH] Support the capability for pods, we only have two options,
 god or nobody

---
 API.md                         |  6 +++---
 src/entity/pod.go              |  1 +
 src/pod/pod.go                 | 26 ++++++++++++++++++++++----
 src/pod/pod_test.go            | 11 +++++++++++
 src/server/handler_pod_test.go |  1 +
 tests/pod.json                 |  3 ++-
 6 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/API.md b/API.md
index adf8dfd9..ac891e8b 100644
--- a/API.md
+++ b/API.md
@@ -397,8 +397,7 @@ For each Pod, we have fileds need to handle.
     - vlanTag: the vlan tag for `ifName` interface.
     - ipADdress: the IPv4 address of the `ifName` interface.
     - netmask: the IPv4 netmask of the `ifName` interface.
-7. restartPolicy: the attribute how the pod restart is container, it should be a string and only valid for those following strings.
-    - Always,OnFailure,Never
+7. capability: the power of the container, if it's ture, it will get almost all capability and act as a privileged=true.
 
 Example:
 
@@ -421,7 +420,8 @@ Request Data:
       "netmask":"255.255.255.0"
   },
   "volumes":[
-  ]
+  ],
+  "capability":true
 }
 ```
 
diff --git a/src/entity/pod.go b/src/entity/pod.go
index 9c6d34b0..c26ca41f 100644
--- a/src/entity/pod.go
+++ b/src/entity/pod.go
@@ -51,6 +51,7 @@ type Pod struct {
 	CreatedAt  *time.Time        `bson:"createdAt,omitempty" json:"createdAt,omitempty" validate:"-"`
 	Volumes    []PodVolume       `bson:"volumes,omitempty" json:"volumes" validate:"required,dive,required"`
 	Networks   []PodNetwork      `bson:"networks,omitempty" json:"networks" validate:"required,dive,required"`
+	Capability bool              `bson:"capability" json:"Capability" validate:"required"`
 }
 
 // GetCollection - get model mongo collection name.
diff --git a/src/pod/pod.go b/src/pod/pod.go
index 106e8db3..b24e7d75 100644
--- a/src/pod/pod.go
+++ b/src/pod/pod.go
@@ -15,6 +15,8 @@ import (
 	"gopkg.in/mgo.v2/bson"
 )
 
+var allCapabilities = []corev1.Capability{"NET_ADMIN", "SYS_ADMIN", "NET_RAW"}
+
 // VolumeNamePrefix will set prefix of volumename
 const VolumeNamePrefix = "volume-"
 
@@ -182,6 +184,20 @@ func generateNetwork(session *mongo.Session, pod *entity.Pod) ([]string, []corev
 	return nodes, containers, err
 }
 
+func generateContainerSecurity(pod *entity.Pod) *corev1.SecurityContext {
+	if !pod.Capability {
+		return &corev1.SecurityContext{}
+	}
+
+	privileged := true
+	return &corev1.SecurityContext{
+		Privileged: &privileged,
+		Capabilities: &corev1.Capabilities{
+			Add: allCapabilities,
+		},
+	}
+}
+
 func generateAffinity(nodeNames []string) *corev1.Affinity {
 	if len(nodeNames) == 0 {
 		return &corev1.Affinity{}
@@ -230,12 +246,14 @@ func CreatePod(sp *serviceprovider.Container, pod *entity.Pod) error {
 	})
 
 	var containers []corev1.Container
+	securityContext := generateContainerSecurity(pod)
 	for _, container := range pod.Containers {
 		containers = append(containers, corev1.Container{
-			Name:         container.Name,
-			Image:        container.Image,
-			Command:      container.Command,
-			VolumeMounts: volumeMounts,
+			Name:            container.Name,
+			Image:           container.Image,
+			Command:         container.Command,
+			VolumeMounts:    volumeMounts,
+			SecurityContext: securityContext,
 		})
 	}
 
diff --git a/src/pod/pod_test.go b/src/pod/pod_test.go
index 668ce5cf..e40fb8c0 100644
--- a/src/pod/pod_test.go
+++ b/src/pod/pod_test.go
@@ -334,5 +334,16 @@ func (suite *PodTestSuite) TestGenerateAffinity() {
 	suite.Nil(affinity.NodeAffinity)
 	affinity = generateAffinity([]string{"123"})
 	suite.NotNil(affinity.NodeAffinity)
+}
+
+func (suite *PodTestSuite) TestGenerateContainerSecurityContext() {
+	pod := &entity.Pod{}
+	security := generateContainerSecurity(pod)
+	suite.Nil(security.Privileged)
+	suite.Nil(security.Capabilities)
 
+	pod.Capability = true
+	security = generateContainerSecurity(pod)
+	suite.NotNil(security.Privileged)
+	suite.NotNil(security.Capabilities)
 }
diff --git a/src/server/handler_pod_test.go b/src/server/handler_pod_test.go
index 983cc781..5d010f4b 100644
--- a/src/server/handler_pod_test.go
+++ b/src/server/handler_pod_test.go
@@ -67,6 +67,7 @@ func (suite *PodTestSuite) TestCreatePod() {
 		Containers: containers,
 		Volumes:    []entity.PodVolume{},
 		Networks:   []entity.PodNetwork{},
+		Capability: true,
 	}
 
 	bodyBytes, err := json.MarshalIndent(pod, "", "  ")
diff --git a/tests/pod.json b/tests/pod.json
index 1953b6d5..b3f07a54 100644
--- a/tests/pod.json
+++ b/tests/pod.json
@@ -34,5 +34,6 @@
 			"netmask":"255.255.255.0"
 		}	
 	],
-	"volumes":[]
+	"volumes":[],
+    "capability": true
 }