1

Linux 功能应用于可执行文件。如果我向容器添加功能,这意味着什么?这是我的容器安全上下文:

securityContext:
  runAsUser: 1008
  capabilities:
    add:
      - NET_ADMIN
      - NET_RAW

但我的任务无法创建原始套接字。那么我应该在打包 docker 映像时将功能应用于可执行文件吗?

4

1 回答 1

1

As I have adviced you in comment section, I am posting it as an answer:

Starting with kernel 2.2, Linux has divided privileged processes’ privileges into distinct units, known as capabilities. These distinct units/privileges can be independently assigned and enabled for unprivileged processes introducing root privileges to them. Kubernetes users can use Linux capabilities to grant certain privileges to a process without giving it all privileges of the root user. This is helpful for improving container isolation from the host since containers no longer need to write as root — you can just grant certain root privileges to them and that’s it.

See: linux-cap-kubernetes.

Part of your code under container section should look like this:

securityContext:  
  capabilities:  
    add:
      - NET_ADMIN
      - NET_RAW

To run some capabilities (in your case perform various network-related operations) you have to run container as root. See example: capabilities-securitycontext.

Read more: linux-capabilities-securityContext.

于 2020-12-18T16:38:30.963 回答