Kubernetes 是如何实现 Linux 能力的?
How does Kubernetes implement Linux capabilities?
Linux 能力应用于可执行文件。如果我向容器添加功能,这意味着什么?
这是我的容器 securityContext:
securityContext:
runAsUser: 1008
capabilities:
add:
- NET_ADMIN
- NET_RAW
但我的任务无法创建原始套接字。那么我应该在打包 docker 图像时将功能应用于可执行文件吗?
正如我在评论部分中建议您的那样,我将其作为答案发布:
Starting with kernel 2.2, Linux has divided privileged processes’
privileges into distinct units, known as capabilities. These distinct
units/privileges can be independently assigned and enabled for
unprivileged processes introducing root privileges to them. Kubernetes
users can use Linux capabilities to grant certain privileges to a
process without giving it all privileges of the root user. This is
helpful for improving container isolation from the host since
containers no longer need to write as root — you can just grant
certain root privileges to them and that’s it.
容器部分下的部分代码应如下所示:
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
为了 运行 某些功能(在您的情况下执行各种与网络相关的操作),您必须 运行 容器作为 root。参见示例:.
Linux 能力应用于可执行文件。如果我向容器添加功能,这意味着什么? 这是我的容器 securityContext:
securityContext:
runAsUser: 1008
capabilities:
add:
- NET_ADMIN
- NET_RAW
但我的任务无法创建原始套接字。那么我应该在打包 docker 图像时将功能应用于可执行文件吗?
正如我在评论部分中建议您的那样,我将其作为答案发布:
Starting with kernel 2.2, Linux has divided privileged processes’ privileges into distinct units, known as capabilities. These distinct units/privileges can be independently assigned and enabled for unprivileged processes introducing root privileges to them. Kubernetes users can use Linux capabilities to grant certain privileges to a process without giving it all privileges of the root user. This is helpful for improving container isolation from the host since containers no longer need to write as root — you can just grant certain root privileges to them and that’s it.
容器部分下的部分代码应如下所示:
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
为了 运行 某些功能(在您的情况下执行各种与网络相关的操作),您必须 运行 容器作为 root。参见示例: