Support the capability for pods, we only have two options, god or nobody

API.md

@@ -397,8 +397,7 @@ For each Pod, we have fileds need to handle.
     - vlanTag: the vlan tag for `ifName` interface.
     - ipADdress: the IPv4 address of the `ifName` interface.
     - netmask: the IPv4 netmask of the `ifName` interface.
-7. restartPolicy: the attribute how the pod restart is container, it should be a string and only valid for those following strings.
-    - Always,OnFailure,Never
+7. capability: the power of the container, if it's ture, it will get almost all capability and act as a privileged=true.
 
 Example:
 
@@ -421,7 +420,8 @@ Request Data:
       "netmask":"255.255.255.0"
   },
   "volumes":[
-  ]
+  ],
+  "capability":true
 }
 ```
 

src/entity/pod.go

@@ -51,6 +51,7 @@ type Pod struct {
 	CreatedAt  *time.Time        `bson:"createdAt,omitempty" json:"createdAt,omitempty" validate:"-"`
 	Volumes    []PodVolume       `bson:"volumes,omitempty" json:"volumes" validate:"required,dive,required"`
 	Networks   []PodNetwork      `bson:"networks,omitempty" json:"networks" validate:"required,dive,required"`
+	Capability bool              `bson:"capability" json:"Capability" validate:"required"`
 }
 
 // GetCollection - get model mongo collection name.

src/pod/pod.go

@@ -182,6 +182,22 @@ func generateNetwork(session *mongo.Session, pod *entity.Pod) ([]string, []corev
 	return nodes, containers, err
 }
 
+var AllCapabilities = []corev1.Capability{"NET_ADMIN"}
+
+func generateContainerSecurity(pod *entity.Pod) *corev1.SecurityContext {
+	if !pod.Capability {
+		return &corev1.SecurityContext{}
+	}
+
+	privileged := true
+	return &corev1.SecurityContext{
+		Privileged: &privileged,
+		Capabilities: &corev1.Capabilities{
+			Add: AllCapabilities,
+		},
+	}
+}
+
 func generateAffinity(nodeNames []string) *corev1.Affinity {
 	if len(nodeNames) == 0 {
 		return &corev1.Affinity{}
@@ -230,12 +246,14 @@ func CreatePod(sp *serviceprovider.Container, pod *entity.Pod) error {
 	})
 
 	var containers []corev1.Container
+	securityContext := generateContainerSecurity(pod)
 	for _, container := range pod.Containers {
 		containers = append(containers, corev1.Container{
-			Name:         container.Name,
-			Image:        container.Image,
-			Command:      container.Command,
-			VolumeMounts: volumeMounts,
+			Name:            container.Name,
+			Image:           container.Image,
+			Command:         container.Command,
+			VolumeMounts:    volumeMounts,
+			SecurityContext: securityContext,
 		})
 	}
 

src/pod/pod_test.go

@@ -334,5 +334,16 @@ func (suite *PodTestSuite) TestGenerateAffinity() {
 	suite.Nil(affinity.NodeAffinity)
 	affinity = generateAffinity([]string{"123"})
 	suite.NotNil(affinity.NodeAffinity)
+}
+
+func (suite *PodTestSuite) TestGenerateContainerSecurityContext() {
+	pod := &entity.Pod{}
+	security := generateContainerSecurity(pod)
+	suite.Nil(security.Privileged)
+	suite.Nil(security.Capabilities)
 
+	pod.Capability = true
+	security = generateContainerSecurity(pod)
+	suite.NotNil(security.Privileged)
+	suite.NotNil(security.Capabilities)
 }

src/server/handler_pod_test.go

@@ -67,6 +67,7 @@ func (suite *PodTestSuite) TestCreatePod() {
 		Containers: containers,
 		Volumes:    []entity.PodVolume{},
 		Networks:   []entity.PodNetwork{},
+		Capability: true,
 	}
 
 	bodyBytes, err := json.MarshalIndent(pod, "", "  ")

tests/pod.json

@@ -34,5 +34,6 @@
 			"netmask":"255.255.255.0"
 		}	
 	],
-	"volumes":[]
+	"volumes":[],
+    "capability": true
 }