Only drop capabilities that are not added

Just like Yelp/paasta#3972 and Yelp/paasta#3973, we need to ensure that there are no duplicates between cap_add and cap_drop - otherwise, the cap_drop entry will "win" and the duplicate capability will not be added.
Yelp · Dec 19, 2024 · ad93895 · ad93895
1 parent 0a93918
commit ad93895
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/task_processing/plugins/kubernetes/utils.py b/task_processing/plugins/kubernetes/utils.py
@@ -57,8 +57,16 @@ def get_capabilities_for_capability_changes(
     caps = {
         capability_type: capabilities
         for (capability_type, capabilities) in [
-            ("add", list(cap_add)),
-            ("drop", list(cap_drop)),
+            # NOTE: these don't actually need to be sorted since the order of caps here won't
+            # cause bounces or anything - but in case someone is inspired by this, it'll be
+            # good to do the paranoid thing and save them the trouble of debugging what we ran
+            # into in Yelp/paasta#3973
+            ("add", sorted(list(cap_add))),
+            # NOTE: this is necessary as containerd differs in behavior from dockershim: with
+            # dockershim dropped capabilities were overriden if the same capability was added - but
+            # in containerd the dropped capabilities appear to have higher priority.
+            # Related: Yelp/paasta#3972 and Yelp/paasta#3973
+            ("drop", sorted(list(set(cap_drop) - set(cap_add)))),
         ]
         if capabilities
     }