CozyFex
Posts Tags Categories English
CozyFex

Contents

Kubernetes Capabilities

CozyFex included in kubernetes k8s orchestration linux
   101 words   One minute 

Linux Capabilities

Kernel < 2.2

Kernel >= 2.2

Linux Capabilities

Get Capabilities

Binary

1

getcap /usr/bin/ping

1

/usr/bin/ping = cap_net_raw+ep

PID

1

ps -ef | grep /usr/sbin/sshd | grep –v grep

1

root       779     1  0 03:55 ?        00:00:00 /usr/sbin/sshd -D

1

getpcaps 779

1
2

capabilities for `779': = 
cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid ,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_n et_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chr oot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resourc e,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control, cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,c ap_audit_read+ep

Kubernetes Definition

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
spec:
  containers:
    - name: ubuntu-sleeper
      image: ubuntu
      command: [ "sleep", "1000" ]
      securityContext:
        capabilities:
          add: [ "SYS_TIME" ]
          drop: [ "CHOWN" ]
Updated on 2021-07-06
Read Markdown
 kuberneteslinuxcapabilities
Back | Home