feat: Configurable task capabilities

Signed-off-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com>

pkg/hocon/build.go

@@ -21,6 +21,11 @@ func extractBuild(config *configuration.Config) (*kilt.Build, error) {
 		b.Command = make([]string, 0)
 	}
 
+	b.Capabilities = config.GetStringList("build.capabilities")
+	if b.Capabilities == nil {
+		b.Capabilities = make([]string, 0)
+	}
+
 	b.EnvironmentVariables = extractToStringMap(config, "build.environment_variables")
 
 	if config.IsArray("build.mount") {

pkg/kilt/types.go

@@ -29,6 +29,7 @@ type Build struct {
 	EntryPoint           []string
 	Command              []string
 	EnvironmentVariables map[string]string
+	Capabilities         []string
 
 	Resources []BuildResource
 }

runtimes/cloudformation/cfnpatcher/cfn_test.go

@@ -70,6 +70,7 @@ build {
 			entry_point: ["/kilt/wait"]
 		}
 	]
+	capabilities: ["SYS_PTRACE"]
 }
 `
 
@@ -88,6 +89,7 @@ build {
 			entry_point: ["/kilt/wait"]
 		}
 	]
+	capabilities: ["SYS_PTRACE"]
 }
 `
 
@@ -106,6 +108,7 @@ build {
 			}
 		}
 	]
+	capabilities: ["SYS_PTRACE"]
 }
 `
 

runtimes/cloudformation/cfnpatcher/patcher.go

@@ -206,27 +206,40 @@ func applyContainerDefinitionPatch(ctx context.Context, container *gabs.Containe
 
 	}
 
-	// We need to add SYS_PTRACE capability to the container
-	if !container.Exists("LinuxParameters") {
-		emptyMap := make(map[string]interface{})
-		_, err = container.Set(emptyMap, "LinuxParameters")
-		if err != nil {
-			return fmt.Errorf("could not add LinuxParameters: %w", err)
+	if len(patch.Capabilities) > 0 {
+		capabilities := make([]interface{}, len(patch.Capabilities))
+		for i, v := range patch.Capabilities {
+			capabilities[i] = v
+		}
+		// We need to add capabilities to the container
+		if !container.Exists("LinuxParameters") {
+			emptyMap := make(map[string]interface{})
+			_, err = container.Set(emptyMap, "LinuxParameters")
+			if err != nil {
+				return fmt.Errorf("could not add LinuxParameters: %w", err)
+			}
 		}
-	}
 
-	if !container.Exists("LinuxParameters", "Capabilities") {
-		emptyMap := make(map[string]interface{})
-		_, err = container.Set(emptyMap, "LinuxParameters", "Capabilities")
-		if err != nil {
-			return fmt.Errorf("could not add LinuxParameters.Capabilities: %w", err)
+		if !container.Exists("LinuxParameters", "Capabilities") {
+			emptyMap := make(map[string]interface{})
+			_, err = container.Set(emptyMap, "LinuxParameters", "Capabilities")
+			if err != nil {
+				return fmt.Errorf("could not add LinuxParameters.Capabilities: %w", err)
+			}
 		}
-	}
 
-	// fargate only supports SYS_PTRACE
-	_, err = container.Set([]string{"SYS_PTRACE"}, "LinuxParameters", "Capabilities", "Add")
-	if err != nil {
-		return fmt.Errorf("could not add LinuxParamaters.Capabilities.Add: %w", err)
+		if !container.Exists("LinuxParameters", "Capabilities", "Add") {
+			emptyList := make([]interface{}, 0)
+			_, err = container.Set(emptyList, "LinuxParameters", "Capabilities", "Add")
+			if err != nil {
+				return fmt.Errorf("could not add LinuxParameters.Capabilities.Add: %w", err)
+			}
+		}
+
+		err := container.ArrayConcat(capabilities, "LinuxParameters", "Capabilities", "Add")
+		if err != nil {
+			return fmt.Errorf("could not append to LinuxParameters.Capabilities.Add: %w", err)
+		}
 	}
 
 	return nil