我有一个关于能力的问题。
为什么我的程序在运行时工作 docker run --cap-add=NET_ADMIN ...
?
如果我使用文件 .yml 运行我的程序,它就不起作用:
containers:
- name: snake
image: docker.io/kelysa/snake:lastest
imagePullPolicy: Always
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN","NET_RAW"]
使用 --cap-add 运行 docker 和运行具有相同功能的 pod 有什么区别?
最佳答案
如 David Maze 所述并根据 docker docs:Runtime privilege and Linux capabilities
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a “privileged” container is given access to all devices (see the documentation on cgroups devices).
--cap-add: Add Linux capabilities, --cap-drop: Drop Linux capabilities, --privileged=false: Give extended privileges to this container --device=[]: Allows you to run devices inside the container without the --privileged flag.
When the operator executes
docker run --privileged
, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop.
您可以找到两种功能:
此命令
docker run --cap-add=NET_ADMIN
将应用额外的 linux 功能。根据文档:
For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces.
备注 :
为了减少系统调用攻击,最好只为容器提供所需的权限。另请参阅 Enabling Pod Security Policies .
从容器可以通过使用来实现:
securityContext:
capabilities:
drop: ["all"]
add: ["NET_BIND"]
要查看容器内的应用能力,您可以使用:
getpcaps process_id or $(pgrep your-proces_name)
列出和探索您使用的 linux 功能 capsh --print
资源 :
希望这有帮助。
关于linux - --cap-add=NET_ADMIN 与在 .yml 中添加功能之间的区别,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58377469/