runtime/kubernetes: Only add capabilities stanza when there is something to add.

nichtverstehen · nichtverstehen · commit 4ef419f06bb2 · 2023-12-12T10:42:52.000+01:00
We see churn in mimir deployments: cabilities message is being added and removed
all the time. This shouldn't be happening logically, but we are making this
fix to prevent it anyway before diving deeper.
diff --git a/internal/runtime/kubernetes/securitycontext.go b/internal/runtime/kubernetes/securitycontext.go
@@ -54,13 +54,15 @@ func makeSecurityContext(opts runtime.ContainerRunOpts, containerName string, de
 			WithRunAsNonRoot(false)
 	}
 
-	var caps []k8sv1.Capability
-	for _, cap := range opts.Capabilities {
-		caps = append(caps, k8sv1.Capability(cap))
+	if len(opts.Capabilities) > 0 {
+		var caps []k8sv1.Capability
+		for _, cap := range opts.Capabilities {
+			caps = append(caps, k8sv1.Capability(cap))
+		}
+		secCtx = secCtx.WithCapabilities(&applycorev1.CapabilitiesApplyConfiguration{
+			Add: caps,
+		})
 	}
-	secCtx = secCtx.WithCapabilities(&applycorev1.CapabilitiesApplyConfiguration{
-		Add: caps,
-	})
 
 	if opts.ReadOnlyFilesystem {
 		secCtx = secCtx.WithReadOnlyRootFilesystem(true)
