I have build a docker image containing tshark
(its an image I am going to use for doing various manual debugging from a kubernetes pod).
I have deployed a container in kubernetes running that image. But when I access the container and try to run tshark
I get:
$ kubectl exec myapp-cbd49f587-w2swx -it bash
root@myapp-cbd49f587-w2swx:/# tshark -ni any -f "test.host" -w sample.pcap -F libpcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'
tshark: cap_set_proc() fail return: Operation not permitted
Googling that error:
https://www.weave.works/blog/container-capabilities-kubernetes/ https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/
it seems I need to configure a securityContext
for my container/pod. In my deployment.yaml I have added:
containers:
...
securityContext:
capabilities:
add:
- NET_ADMIN
But when I apply that deployment I get:
error: error validating "deployment.yaml": error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext; if you choose to ignore these errors, turn validation off with --validate=false
Adding --validate=false
removes the error but also means the securityContext is ignored.
What is preventing me from setting:
securityContext:
capabilities:
add:
- NET_ADMIN
Based on the guides I have found this should be fine.
I have also looked at (looks to be non free):
https://sysdig.com/blog/tracing-in-kubernetes-kubectl-capture-plugin/
so probably the right way is to use some tool like that (ksniff) or setup a sidecar container. But I am still curious to why I get the above error.
The allowedCapabilities field is used to specify which capabilities pod authors can add in the Kubernetes securityContext.capabilities field in the container spec. I have following PSP currently added to my Kubernetes Cluster and I have added some capabilities under allowedCapabilities:
The securityContext field is a PodSecurityContext object. The security settings that you specify for a Pod apply to all Containers in the Pod. Here is a configuration file for a Pod that has a securityContext and an emptyDir volume:
The capabilities which a pod would use are basically defined using PodSecurityPolicy. The allowedCapabilities field is used to specify which capabilities pod authors can add in the Kubernetes securityContext.capabilities field in the container spec.
Looking specifically to the error, you posted only part of your manifest and looking to this we can see that you put securityContext:
in the same level as containers:
:
containers:
...
securityContext:
capabilities:
add:
- NET_ADMIN
It should be under containers:
as as written in the documentation:
To add or remove Linux capabilities for a Container, include the
capabilities
field in thesecurityContext
section of the Container manifest.
Example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 2
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add:
- NET_ADMIN
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With