Merge pull request #19871 from giuseppe/accept-empty-capabilities

security: accept empty capabilities list

pkg/specgen/generate/security_linux.go

@@ -125,7 +125,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator,
 				capsRequiredRequested = strings.Split(val, ",")
 			}
 		}
-		if !s.Privileged && len(capsRequiredRequested) > 0 {
+		if !s.Privileged && len(capsRequiredRequested) == 1 && capsRequiredRequested[0] == "" {
+			caplist = []string{}
+		} else if !s.Privileged && len(capsRequiredRequested) > 0 {
 			// Pass capRequiredRequested in CapAdd field to normalize capabilities names
 			capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil)
 			if err != nil {

test/e2e/run_security_labels_test.go

@@ -11,6 +11,23 @@ import (
 
 var _ = Describe("Podman generate kube", func() {
 
+	It("podman empty security labels", func() {
+		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"})
+		test1.WaitWithDefaultTimeout()
+		Expect(test1).Should(Exit(0))
+
+		inspect := podmanTest.Podman([]string{"inspect", "test1"})
+		inspect.WaitWithDefaultTimeout()
+		Expect(inspect).Should(Exit(0))
+
+		ctr := inspect.InspectContainerToJSON()
+		Expect(ctr[0].EffectiveCaps).To(BeNil())
+
+		test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"})
+		test2.WaitWithDefaultTimeout()
+		Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000"))
+	})
+
 	It("podman security labels", func() {
 		test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"})
 		test1.WaitWithDefaultTimeout()