文档章节

Kubernetes对Container Capabilities的支持

WaltonWang
 WaltonWang
发布于 2017/03/15 15:32
字数 823
阅读 655
收藏 4

更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。

Docker Container Capabilities

在docker run命令中,我们可以通过--cap-add--cap-drop来给容器添加linux Capabilities。下面表格中的列出的Capabilities是docker默认给容器添加的,用户可以通过--cap-drop去除其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability Description
SETPCAPCAP_SETPCAPModify process capabilities.
MKNODCAP_MKNODCreate special files using mknod(2).
AUDIT_WRITECAP_AUDIT_WRITEWrite records to kernel auditing log.
CHOWNCAP_CHOWNMake arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAWCAP_NET_RAWUse RAW and PACKET sockets.
DAC_OVERRIDECAP_DAC_OVERRIDEBypass file read, write, and execute permission checks.
FOWNERCAP_FOWNERBypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETIDCAP_FSETIDDon’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILLCAP_KILLBypass permission checks for sending signals.
SETGIDCAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list.
SETUIDCAP_SETUIDMake arbitrary manipulations of process UIDs.
NET_BIND_SERVICECAP_NET_BIND_SERVICEBind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOTCAP_SYS_CHROOTUse chroot(2), change root directory.
SETFCAPCAP_SETFCAPSet file capabilities.

下面表格中列出的Capabilities是docker默认删除的Capabilities,用户可以通过--cap-add添加其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability Description
SYS_MODULECAP_SYS_MODULELoad and unload kernel modules.
SYS_RAWIOCAP_SYS_RAWIOPerform I/O port operations (iopl(2) and ioperm(2)).
SYS_PACCTCAP_SYS_PACCTUse acct(2), switch process accounting on or off.
SYS_ADMINCAP_SYS_ADMINPerform a range of system administration operations.
SYS_NICECAP_SYS_NICERaise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
SYS_RESOURCECAP_SYS_RESOURCEOverride resource Limits.
SYS_TIMECAP_SYS_TIMESet system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.
SYS_TTY_CONFIGCAP_SYS_TTY_CONFIGUse vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.
AUDIT_CONTROLCAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
MAC_OVERRIDECAP_MAC_OVERRIDEAllow MAC configuration or state changes. Implemented for the Smack LSM.
MAC_ADMINCAP_MAC_ADMINOverride Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
NET_ADMINCAP_NET_ADMINPerform various network-related operations.
SYSLOGCAP_SYSLOGPerform privileged syslog(2) operations.
DAC_READ_SEARCHCAP_DAC_READ_SEARCHBypass file read permission checks and directory read and execute permission checks.
LINUX_IMMUTABLECAP_LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.
NET_BROADCASTCAP_NET_BROADCASTMake socket broadcasts, and listen to multicasts.
IPC_LOCKCAP_IPC_LOCKLock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
IPC_OWNERCAP_IPC_OWNERBypass permission checks for operations on System V IPC objects.
SYS_PTRACECAP_SYS_PTRACETrace arbitrary processes using ptrace(2).
SYS_BOOTCAP_SYS_BOOTUse reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
LEASECAP_LEASEEstablish leases on arbitrary files (see fcntl(2)).
WAKE_ALARMCAP_WAKE_ALARMTrigger something that will wake up the system.
BLOCK_SUSPENDCAP_BLOCK_SUSPENDEmploy features that can block system suspend.

比如,我们可以通过给给容器add NET_ADMIN Capability,使得我们可以对network interface进行modify,对应的docker run命令如下:

$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy

Kubernetes SecurityContext

在Kubernetes对Pod的定义中,用户可以add/drop Capabilities在Pod.spec.containers.sercurityContext.capabilities中添加要add的Capabilities list和drop的Capabilities list。

比如,我要添加NET_ADMIN Capability,删除KILL Capability,则对应的Pod定义如下:

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
  - name: friendly-container
    image: "alpine:3.4"
    command: ["/bin/echo", "hello", "world"]
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        drop:
        - KILL

总结

Kubernetes通过在Pod.spec.containers.sercurityContext.capabilities中配置容器待add和drop的Capabilities,最终借助docker container Capabilities的能力,完成容器的Capabilities权限控制。

更多关于kubernetes的深入文章,请看我csdn或者oschina的博客主页。

© 著作权归作者所有

WaltonWang
粉丝 217
博文 105
码字总数 223702
作品 0
深圳
程序员
私信 提问
nvidia-docker2 在 Kubernetes 上实践

女主宣言 nvida-docker2 可以帮助我们将旧的加速计算应用程序容器化,将特定的 GPU 资源分配给容器,并可以轻松地跨不同的环境共享应用程序、协同工作和测试应用程序。今天带来的分享是有关 ...

ZVAyIVqt0UFji
2018/11/29
0
0
How to Install and Deploy Kubernetes on Ubuntu 16.04

By Hitesh Jethva, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the......

Cloud Focus
2018/05/14
0
0
Kubernetes中调度GPU资源

Kubernetes中调度GPU资源 Kubernetes 包含一个体验性的功能,支持 AMD和NVIDIA GPUs 跨节点调度。对 NVIDIA GPUs 支持从 v1.6开始,然后经过几次不兼容的叠代修改,对AMD GPUs 的支持从 v1.9...

openthings
01/04
0
0
Kubernetes 设计概要(非完整版)

Kubernetes 设计概要 (原文:https://github.com/GoogleCloudPlatform/kubernetes/blob/master/DESIGN.md) 概述 --------------------------------- * Kubernetes 构建于 Docker之上,是基于......

深蓝苹果
2014/06/11
0
0
kubernetes1.5新特性:支持Photon卷插件

背景介绍 在Kubernetes中卷的作用在于提供给POD持久化存储,这些持久化存储可以挂载到POD中的容器上,进而给容器提供持久化存储。 从图中可以看到结构体PodSpec有个属性是Volumes,通过这个V...

店家小二
2018/12/16
0
0

没有更多内容

加载失败,请刷新页面

加载更多

线程池之ThreadPoolExecutor使用

ThreadPoolExecutor提供了四个构造方法: ThreadPoolExecutor构造方法.png 我们以最后一个构造方法(参数最多的那个),对其参数进行解释: public ThreadPoolExecutor(int corePoolSize, /...

天王盖地虎626
23分钟前
1
0
小程序登陆流程

http://www.bubuko.com/infodetail-2592845.html

为何不可1995
32分钟前
1
0
Consul+Spring boot的服务注册和服务注销

一图胜千言 先看一看要做事情,需要在Consul上面实现注册中心的功能,并以2个Spring boot项目分别作为生产者,消费者。 Consul 假设已经完成文章《Consul的开发者模式之Docker版》中的所有的...

亚林瓜子
38分钟前
4
0
MySQL高可用之基于Galera复制跨地域节点分布的滥用

mysql使用教程 MySQL高可用之基于Galera复制跨地域节点分布的滥用 2018-11-22 02:15 8335 85 让我们再一次讨论MySQL高可用性(HA)和同步复制。 它是地理上分布区域上一些高可用性参考架构解...

rootliu
48分钟前
1
0
js判断pc还是移动端

var pcyidong =/(iPhone|iPad|iPod|iOS|Android)/i.test(navigator.userAgent); 如果pcyidong的值为false则用户的浏览器为pc端 如果pcyidong的值为true则用户浏览器为移动端 if (pcyidong =...

流年那么伤
今天
1
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部