I am trying to authorize kubernetes pod with Capability in securityContext.
I followed this document to chect /proc/1/status and find some informations about pods. But I found that "inside pod, it seems that logically I authorized SYS_ADMIN and status seems to be perfect. But it doesn't works. So I tried giving privileged mode and dropped "ALL" capabilities, but it still doesnt work(all capabilites are available inside privileged pod.
I've checked
- Give All Capabilites Without privilege
- Privileged Pod
- Privileged Pod Dropping all Capability
but all the proc/status says
CapInh: 0000003fffffffff
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
but case 1 has no permission to mount or see serveral files inside /dev
and case 3 has all the permission to mount or see all the files inside /dev (such as tty5)
I checked all the status on Kubernetes, but it was still same on Docker. Personally, I can only think, all the capabilities wont work (including add and drop) so I want to know what's difference.
CASE 1
securityContext:
capabilities:
add:
- ALL
CASE 2
securityContext:
privileged: true
CASE 3
securityContext:
privileged: true
capabilities:
drop:
- ALL
CodePudding user response:
Setting privileged should modify:
1-capabilities: removing any capability restrictions
2-devices: the host devices will be visible
3-seccomp: removing restrictions on allowed syscalls
4-apparmor/selinux: policies aren't applied
5-cgroups: I don't believe the container is limited within a cgroup
That's from memory, I might be able to find some more digging in the code if this doesn't point you too your issue.
CodePudding user response:
I found the answer. It wasn't problem inside kubernetes but node's security option. I tested same capabilities option in docker and found that "app-armor" was the problem.
in docker option
--security-opt apparmor:unconfined
will allow me to have permission to get capabilites.