K
Q

How does Kubernetes implement Linux capabilities?

12/17/2020

Linux capabilities is applied to an executable. If I add capabilities to a container, what does it mean? This is my container securityContext:

securityContext:
  runAsUser: 1008
  capabilities:
    add:
      - NET_ADMIN
      - NET_RAW

But my task can't create raw socket. So shall I apply capabilities to the executable when packing docker image?

-- Mr Pang
kubernetes
linux
security-context

Similar Questions

What happens to traffic to a temporary unavailable pod in a StatefulSet?
kubernetes HPA deployment cannot find target resource
Is Stateful set for single replica an overkill?
Velero Using HTTP and Port 80 When Explicitly Configured To Use HTTPS and Port 443
EKS Load Balancer Best Pratices

1 Answer

12/18/2020

As I have adviced you in comment section, I am posting it as an answer:

Starting with kernel 2.2, Linux has divided privileged processes’ privileges into distinct units, known as capabilities. These distinct units/privileges can be independently assigned and enabled for unprivileged processes introducing root privileges to them. Kubernetes users can use Linux capabilities to grant certain privileges to a process without giving it all privileges of the root user. This is helpful for improving container isolation from the host since containers no longer need to write as root — you can just grant certain root privileges to them and that’s it.

See: linux-cap-kubernetes.

Part of your code under container section should look like this:

securityContext:  
  capabilities:  
    add:
      - NET_ADMIN
      - NET_RAW

To run some capabilities (in your case perform various network-related operations) you have to run container as root. See example: capabilities-securitycontext.

Read more: linux-capabilities-securityContext.

-- Malgorzata
Source: StackOverflow