Merge pull request #49853 from duan-yue/capabilities

Automatic merge from submit-queue (batch tested with PRs 49847, 49743, 49853, 50225, 50479)

refactor capabilities to a singleton struct

**What this PR does / why we need it**:
refactor
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
refactor
**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```

pkg/capabilities/BUILD

@@ -3,6 +3,7 @@ package(default_visibility = ["//visibility:public"])
 load(
     "@io_bazel_rules_go//go:def.bzl",
     "go_library",
+    "go_test",
 )
 
 go_library(
@@ -13,6 +14,13 @@ go_library(
     ],
 )
 
+go_test(
+    name = "go_default_test",
+    srcs = ["capabilities_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+)
+
 filegroup(
     name = "package-srcs",
     srcs = glob(["**"]),

pkg/capabilities/capabilities.go

@@ -46,16 +46,17 @@ type PrivilegedSources struct {
 	HostIPCSources []string
 }
 
-// TODO: Clean these up into a singleton
+var capInstance struct {
-var once sync.Once
+	once         sync.Once
-var lock sync.Mutex
+	lock         sync.Mutex
-var capabilities *Capabilities
+	capabilities *Capabilities
+}
 
 // Initialize the capability set.  This can only be done once per binary, subsequent calls are ignored.
 func Initialize(c Capabilities) {
 	// Only do this once
-	once.Do(func() {
+	capInstance.once.Do(func() {
-		capabilities = &c
+		capInstance.capabilities = &c
 	})
 }
 
@@ -70,17 +71,17 @@ func Setup(allowPrivileged bool, privilegedSources PrivilegedSources, perConnect
 
 // SetForTests sets capabilities for tests.  Convenience method for testing.  This should only be called from tests.
 func SetForTests(c Capabilities) {
-	lock.Lock()
+	capInstance.lock.Lock()
-	defer lock.Unlock()
+	defer capInstance.lock.Unlock()
-	capabilities = &c
+	capInstance.capabilities = &c
 }
 
 // Returns a read-only copy of the system capabilities.
 func Get() Capabilities {
-	lock.Lock()
+	capInstance.lock.Lock()
-	defer lock.Unlock()
+	defer capInstance.lock.Unlock()
 	// This check prevents clobbering of capabilities that might've been set via SetForTests
-	if capabilities == nil {
+	if capInstance.capabilities == nil {
 		Initialize(Capabilities{
 			AllowPrivileged: false,
 			PrivilegedSources: PrivilegedSources{
@@ -90,5 +91,5 @@ func Get() Capabilities {
 			},
 		})
 	}
-	return *capabilities
+	return *capInstance.capabilities
 }

pkg/capabilities/capabilities_test.go

@@ -0,0 +1,50 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package capabilities
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestGet(t *testing.T) {
+	defaultCap := Capabilities{
+		AllowPrivileged: false,
+		PrivilegedSources: PrivilegedSources{
+			HostNetworkSources: []string{},
+			HostPIDSources:     []string{},
+			HostIPCSources:     []string{},
+		},
+	}
+
+	res := Get()
+	if !reflect.DeepEqual(defaultCap, res) {
+		t.Fatalf("expected Capabilities: %#v, got a non-default: %#v", defaultCap, res)
+	}
+
+	cap := Capabilities{
+		PrivilegedSources: PrivilegedSources{
+			HostNetworkSources: []string{"A", "B"},
+		},
+	}
+	SetForTests(cap)
+
+	res = Get()
+	if !reflect.DeepEqual(cap, res) {
+		t.Fatalf("expected Capabilities: %#v , got a different: %#v", cap, res)
+	}
+}