Difference between --cap-add=NET_ADMIN and add capabilities in .yml

linux docker kubernetes kubectl
34,434

As described by David Maze and According to the docker docs:Runtime privilege and Linux capabilities

By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).

--cap-add: Add Linux capabilities,
--cap-drop: Drop Linux capabilities,
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.

When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.

In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop.

You can find there two kinds of capabilities:

  • Docker with default list of capabilities that are kept.
  • capabilities which are not granted by default and may be added.

This command docker run --cap-add=NET_ADMIN will apply additional linux capibilities.

As per docs:

For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces.

Note:

To reduce syscall attacks it's good practice to give the container only required privileges. Please refer also to Enabling Pod Security Policies.

From container it can be achieved by using:

securityContext:
  capabilities:
    drop: ["all"]
    add: ["NET_BIND"]

To see applied capibilities inside your container you can use: getpcaps process_id or $(pgrep your-proces_name) to list and explore linux capibilities you an use capsh --print

Resources:

Hope this help.

Share:
34,434
Julie
Author by

Julie

Updated on July 09, 2022

Comments

  • Julie
    Julie almost 2 years

    i have a question and a problem about capabilities.

    Why my program work when i run docker run --cap-add=NET_ADMIN ... ?

    And it's doesn't work if i run my program with file .yml which is:

          containers:
      - name: snake
        image: docker.io/kelysa/snake:lastest
        imagePullPolicy: Always
        securityContext:
          privileged: true
          capabilities:
            add: ["NET_ADMIN","NET_RAW"]

    What is the difference between run docker with --cap-add and run a pod with the same capabilities ?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

error marking master: timed out waiting for the condition [kubernetes]
How to copy files to container in kubernetes yaml
How to add custom host entries to kubernetes Pods?
kubelet failed with kubelet cgroup driver: "cgroupfs" is different from docker cgroup driver: "systemd"
Delete kubernetes cluster on docker-for-desktop OSX?
Kubernetes describe pod - Error from server (NotFound)
Kubernetes Pod fails with CrashLoopBackOff
How to use local docker images with Minikube?
Changing image tags and name with kustomization.yaml
How to update minikube latest version?