Hello,
I am just starting with Kubernetes, and I have some questions regarding the Security Contexts for a Pod or Container and the capabilities that the container runtime allows.
I have set this on the Container level:
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
and the following on the pod level:
securityContext:
runAsUser: 1000
runAsNonRoot: true
In the Kubernetes API Reference Doku (Kubernetes API Reference Docs) is says “The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.”
However, once I inspect the container with crictl inspect {container Id} I get the following listed under capabilities:
“capabilities”: {
“bounding”: [
“CAP_CHOWN”,
“CAP_DAC_OVERRIDE”,
“CAP_FSETID”,
“CAP_FOWNER”,
“CAP_MKNOD”,
“CAP_NET_RAW”,
“CAP_SETGID”,
“CAP_SETUID”,
“CAP_SETFCAP”,
“CAP_SETPCAP”,
“CAP_NET_BIND_SERVICE”,
“CAP_SYS_CHROOT”,
“CAP_KILL”,
“CAP_AUDIT_WRITE”
],
“effective”: [
“CAP_CHOWN”,
“CAP_DAC_OVERRIDE”,
“CAP_FSETID”,
“CAP_FOWNER”,
“CAP_MKNOD”,
“CAP_NET_RAW”,
“CAP_SETGID”,
“CAP_SETUID”,
“CAP_SETFCAP”,
“CAP_SETPCAP”,
“CAP_NET_BIND_SERVICE”,
“CAP_SYS_CHROOT”,
“CAP_KILL”,
“CAP_AUDIT_WRITE”
],
“permitted”: [
“CAP_CHOWN”,
“CAP_DAC_OVERRIDE”,
“CAP_FSETID”,
“CAP_FOWNER”,
“CAP_MKNOD”,
“CAP_NET_RAW”,
“CAP_SETGID”,
“CAP_SETUID”,
“CAP_SETFCAP”,
“CAP_SETPCAP”,
“CAP_NET_BIND_SERVICE”,
“CAP_SYS_CHROOT”,
“CAP_KILL”,
“CAP_AUDIT_WRITE”
]
I have read in a book called “hacking Kubernetes” that having the capabilities CAP_SETGID and CAP_SETUID can allow a container to become the Root user.
I am using Kubernetes v.1.23.5 with container runtime Containerd
Version: 0.1.0
RuntimeName: containerd
RuntimeVersion: 1.5.11+azure-2
RuntimeApiVersion: v1alpha2
My question is:
Do I have to explicitly remove these capabilities in the pod definition file?
Thanks,
Best Regards,
Mike