Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext (running tshark in a container/k8s pod)

I have build a docker image containing tshark (its an image I am going to use for doing various manual debugging from a kubernetes pod).

I have deployed a container in kubernetes running that image. But when I access the container and try to run tshark I get:

$ kubectl exec myapp-cbd49f587-w2swx -it bash
root@myapp-cbd49f587-w2swx:/# tshark -ni any -f "test.host" -w sample.pcap -F libpcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'
tshark: cap_set_proc() fail return: Operation not permitted

Googling that error:

https://www.weave.works/blog/container-capabilities-kubernetes/ https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/

it seems I need to configure a securityContext for my container/pod. In my deployment.yaml I have added:

  containers:
     ...
  securityContext:
    capabilities:
      add:
        - NET_ADMIN

But when I apply that deployment I get:

error: error validating "deployment.yaml": error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext; if you choose to ignore these errors, turn validation off with --validate=false

Adding --validate=false removes the error but also means the securityContext is ignored.

What is preventing me from setting:

  securityContext:
    capabilities:
      add:
        - NET_ADMIN

Based on the guides I have found this should be fine.

I have also looked at (looks to be non free):

https://sysdig.com/blog/tracing-in-kubernetes-kubectl-capture-plugin/

so probably the right way is to use some tool like that (ksniff) or setup a sidecar container. But I am still curious to why I get the above error.

like image 780
u123 Avatar asked Apr 22 '20 20:04

u123


People also ask

What is allowedcapabilities field in Kubernetes securitycontext?

The allowedCapabilities field is used to specify which capabilities pod authors can add in the Kubernetes securityContext.capabilities field in the container spec. I have following PSP currently added to my Kubernetes Cluster and I have added some capabilities under allowedCapabilities:

What is the securitycontext field in a pod?

The securityContext field is a PodSecurityContext object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext and an emptyDir volume:

How to define the capabilities of a Kubernetes pod?

The capabilities which a pod would use are basically defined using PodSecurityPolicy. The allowedCapabilities field is used to specify which capabilities pod authors can add in the Kubernetes securityContext.capabilities field in the container spec.


1 Answers

Looking specifically to the error, you posted only part of your manifest and looking to this we can see that you put securityContext: in the same level as containers::

  containers:
     ...
  securityContext:
    capabilities:
      add:
        - NET_ADMIN

It should be under containers: as as written in the documentation:

To add or remove Linux capabilities for a Container, include the capabilities field in the securityContext section of the Container manifest.

Example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: security-context-demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: security-context-demo
  template:
    metadata:
      labels:
        app: security-context-demo
    spec:
      containers:
      - name: sec-ctx-4
        image: gcr.io/google-samples/node-hello:1.0
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
like image 125
Mark Watney Avatar answered Oct 18 '22 20:10

Mark Watney