Kubernetes

Add or Remove the Linux Capabilities in Kubernetes SecurityContext

It might be difficult to manage the degree of privileges that are provided to each Pod and container in a Kubernetes container. We may utilize the Kubernetes SecurityContext capabilities to add or delete the Linux capabilities from the Pod and Container to increase the security of the container. This article focuses on using the securityContext to implement a simple example of adding and deleting capabilities. The configuration of a yaml file to delete all capabilities and add just one capability to a container is provided in the sample example. In this article, the proc and capsh commands are used to display the container’s capabilities.

Step 1: Start the Minikube Server

First, start the minikube server so that you can run your application and use the kubectl instructions. You may deploy your nodes, pods, and even cluster using the minikube server in the Kubernetes environment. The following command must be used to maintain the minikube in active mode:

> minikube start

By doing so, the minikube server is turned on and the Kubernetes environment is ready for use.

Step 2: Create a Kubernetes YAML File

In the second step, create a YAML file to deploy a pod.

Follow the steps to create a yaml file using nano:

  • Go to the directory path where you want to create the file or modify an existing file.
  • Type in the nano command followed by the file name.

Run the following nano command. It creates a YAML configuration file named “nano podsample.yaml”.

> nano podsample.yaml

Let’s move on to the next step which is to help you know how to configure a podsample.yaml file.

Step 3: Configure the YAML File

We add the capsh tool in the preceding step so that we can see the capabilities of our container.

Note that none of those parameters are configured for a securityContext section for this container. Thus, they are all set to system defaults. Consider the fact that this container operates as the default user which is supplied in the Dockerfile from which it is constructed if no user is defined for it in Kubernetes. For many containers, this default user is the root.

Step 4: Create a Pod

In this step, let’s create podsample.yaml with the following attached command:

> kubectl apply -f podsample.yaml

Step 5: Check for Capabilities

In the previous step, a pod is created and running.

Now that we have a shell inside of it, we can use capsh to verify its capabilities using the following command:

> $ kubectl exec - -stdin - -tty caps - - ash

Using the capsh command, it is possible to see the default capacities of the container which are listed as follows:

We can observe from the given output that the container has many default capabilities which are given to the container at runtime.

Step 6: Dropp the Single Capability in Kubernetes SecurityContext

In this step, we drop the single capability of the container.

Let’s configure the yaml file using the following command:

> nano dropod.yaml

After that, move to configure the droppod.yaml file using the following given command:

> kubectl apply -f droppod.yaml

Step 7: Configure to Add the Single Capability in YAML File

In this step, open the yaml file (dropped.yaml) that was created in Step 6. Then, set the container such that it no longer has access to the CAP_MKNOD capability, which removes the ability to create the new file system nodes.

The configured file is as shown:

Step 8: Check for Capabilities

The yaml file is configured to drop the CAP_MKNOD capability.

In this step, execute and run the dropcaps.yaml file to check the capabilities of the container using the following command:

> $ kubectl exec - -stdin - -tty dropcaps - - ash

The capacities can be checked by running the dropcaps file:

> # capsh - -print

We can observe that this pod dropped the CAP_MKNOD capability as compared to the first pod.

Step 9: Drop All Capabilities in Kubernetes SecurityContext

Since Kubernetes can drop a single capability, it can also drop all the capabilities through securityContext. In this step, drop all the capabilities of the container by implying the given command:

> nano samplenocap.yaml

After that, configure the samplenocap.yaml file using the following command:

> kubectl create -f samplenocap.yaml

Now, let’s move to the next step to drop all of the capacities in our securityContext settings.

Step 10: Configure All the Capabilities in the YAML File

In this step, open the yaml file that was created in Step 9. Then, configure inside the container.securityContext  and drop all the capabilities of the container.

The configured file is as shown:

Step 11: Check for Capabilities

Run the nocaps in capsh to see the information about capabilities. In this step, use the following command and display all the capabilities of the container:

> kubectl exec - -stdin - -tty nocaps - - ash

The capacities can be checked in the following illustration by running the samplenocaps yaml file in capsh:

># capsh - -print

The previous output shows that the current=”” and bounding set=”” are empty now. The capabilities are dropped successfully.

Step 12: Install the Bash

In this step, install Bash through apk since some system functions won’t work if we don’t have any capabilities at all. Even though our container is operating as a root, the installation of the Bash package fails.

> # apk add bash

Step 13: Check the Capabilities Information

There are several ways to view the capabilities of our container such as using the capsh and proc commands. In this step, we display the container capacities using the proc command and proc displays capacities as a bitmap. Although it is not quite as readable as the result from capsh, each bit that is defined here stands for a certain capability.

> # cd /proc/1/

Here, we can see that this particular container has no enabled capabilities; all of these values are zero.

Step 14: Adding a Single Capability in Kubernetes SecurityContext

In the previous steps, we dropped a single capability which is CAP_MKNOD and dropped all capabilities. But, in this step, we can add the capabilities back.

Execute the following command to create the yAML file:

> nano sampleadd.yaml

After that, configure the sampleadd.yaml file.

> kubectl create -f sampleadd.yaml

Now, let’s try the sampleadd.yaml file and add a single capacity in our securityContext settings.

Step 15: Configure the Single Capability in the YAML File

Now, let’s configure the file by adding the capability in spec.container.securityContext into capabilities.add [“MKNOD”].

The capability is displayed in the YAML file.

Step 16: Check for Capabilities

In this step, run the addcaps to check the capabilities using the following command:

> kubectl exec - -stdin - -tty addcaps - - as

The added capacity can be seen in the following given output:

current = cap_mknod+ep

Bounding set = cap_mknod

> # capsh - -print

Conclusion

You first learned from the implemented example about the default capabilities of the container which are assigned at run time that is displayed with the capsh command. Next, you learned to drop a single capability in a container named CAP_MKNOD. Then, you also learned how to drop all capabilities of the container using the //drop: –all configuration. Then, we used two ways to display the capabilities of containers – using the capsh and proc commands.

About the author

Kalsoom Bibi

Hello, I am a freelance writer and usually write for Linux and other technology related content