feat: allow collaset to create privileged container (#328)

* feat: support allow privileged

* add e2e

* move parameter to webhook

* add

* add

* add

* add

* fix e2e

* fix e2e

* fix e2e

Author: ColdsteelRail

pkg/webhook/server/generic/collaset/collaset_validating_handler.go

@@ -23,6 +23,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/kubernetes/pkg/apis/core"
+	"k8s.io/kubernetes/pkg/capabilities"
 
 	admissionv1 "k8s.io/api/admission/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -48,6 +49,11 @@ type ValidatingHandler struct {
 }
 
 func NewValidatingHandler() *ValidatingHandler {
+	// Validating webhook allows to create privileged containers, this will only work if api-server is started with --allow-privileged=true.
+	capabilities.Initialize(capabilities.Capabilities{
+		AllowPrivileged: true,
+	})
+
 	return &ValidatingHandler{
 		WebhookHandlerMixin: mixin.NewWebhookHandlerMixin(),
 	}

test/e2e/apps/collaset.go

@@ -62,6 +62,29 @@ var _ = SIGDescribe("CollaSet", func() {
 		randStr = rand.String(10)
 	})
 
+	framework.KusionstackDescribe("CollaSet Basics", func() {
+		framework.ConformanceIt("create privileged container", func() {
+			cls := tester.NewCollaSet("collaset-"+randStr, 3, appsv1alpha1.UpdateStrategy{})
+			// create container with privileged
+			privileged := true
+			cls.Spec.Template.Spec.Containers[0].SecurityContext = &v1.SecurityContext{
+				Privileged: &privileged,
+			}
+			Expect(tester.CreateCollaSet(cls)).NotTo(HaveOccurred())
+
+			By("Wait for status replicas satisfied")
+			Eventually(func() error { return tester.ExpectedStatusReplicas(cls, 3, 3, 3, 3, 3) }, 30*time.Second, 3*time.Second).ShouldNot(HaveOccurred())
+
+			By("Check container[0].securityContext.privileged")
+			pods, err := tester.ListPodsForCollaSet(cls)
+			Expect(err).NotTo(HaveOccurred())
+			for i := range pods {
+				privileged := pods[i].Spec.Containers[0].SecurityContext.Privileged
+				Expect(*privileged).Should(BeTrue())
+			}
+		})
+	})
+
 	framework.KusionstackDescribe("CollaSet Scaling", func() {
 
 		framework.ConformanceIt("scales in normal cases", func() {