diff --git a/pkg/specgen/generate/security_linux.go b/pkg/specgen/generate/security_linux.go index 15e1d5256eac..21ec7a780a32 100644 --- a/pkg/specgen/generate/security_linux.go +++ b/pkg/specgen/generate/security_linux.go @@ -125,7 +125,9 @@ func securityConfigureGenerator(s *specgen.SpecGenerator, g *generate.Generator, capsRequiredRequested = strings.Split(val, ",") } } - if !s.Privileged && len(capsRequiredRequested) > 0 { + if !s.Privileged && len(capsRequiredRequested) == 1 && capsRequiredRequested[0] == "" { + caplist = []string{} + } else if !s.Privileged && len(capsRequiredRequested) > 0 { // Pass capRequiredRequested in CapAdd field to normalize capabilities names capsRequired, err := capabilities.MergeCapabilities(nil, capsRequiredRequested, nil) if err != nil { diff --git a/test/e2e/run_security_labels_test.go b/test/e2e/run_security_labels_test.go index 0d45d18d3f30..2bee9c6bb65f 100644 --- a/test/e2e/run_security_labels_test.go +++ b/test/e2e/run_security_labels_test.go @@ -11,6 +11,23 @@ import ( var _ = Describe("Podman generate kube", func() { + It("podman empty security labels", func() { + test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=", "--name", "test1", "alpine", "echo", "test1"}) + test1.WaitWithDefaultTimeout() + Expect(test1).Should(Exit(0)) + + inspect := podmanTest.Podman([]string{"inspect", "test1"}) + inspect.WaitWithDefaultTimeout() + Expect(inspect).Should(Exit(0)) + + ctr := inspect.InspectContainerToJSON() + Expect(ctr[0].EffectiveCaps).To(BeNil()) + + test2 := podmanTest.Podman([]string{"run", "--label", "io.containers.capabilities=", "alpine", "grep", "^CapEff", "/proc/self/status"}) + test2.WaitWithDefaultTimeout() + Expect(test2.OutputToString()).To(ContainSubstring("0000000000000000")) + }) + It("podman security labels", func() { test1 := podmanTest.Podman([]string{"create", "--label", "io.containers.capabilities=setuid,setgid", "--name", "test1", "alpine", "echo", "test1"}) test1.WaitWithDefaultTimeout()