Reputation: 1379
How to escalate kubernetes container privileges for pod securityContext runAsUser: 1010
I have pod level security context like in below snippet:
spec:
securityContext:
runAsUser: 1010
runAsGroup: 1010
fsGroup: 1010
containers:
--------
-------
one of my container need root privileges so I added one more securityContext as below:
spec:
securityContext:
runAsUser: 1010
runAsGroup: 1010
fsGroup: 1010
containers:
- name: sample
securityContext:
runAsUser: 0
image: sampleimage
----------------
-----------------
Now my container is able to run with root privileges but my requirement is rather than making runAsUser: 0 which is root! Is there any other way we can escalate privileges for container alone using same runAsUser: 1010 ?
I found some options like allowPrivilegeEscalation: true & capabilities: but no luck! maybe am using it in wrong way.
containers:
- image: sampleimage
name: sample
securityContext:
allowPrivilegeEscalation: true
AND
containers:
- image: sampleimage
name: sample
securityContext:
capabilities:
add: ["SYS_ADMIN"]
Can anyone help by correcting my code or help with an example to refer to and implement? Please.
Upvotes: 3
Views: 2307
Answers (1)
Reputation: 43
You need to specify the appropriate capabilities for the action you want to permit for the container.
As described in the kubernetes official documentation
There are 7 capabilities that you can choose from linux documentation
And everything comes down to what privileges you want to grant to the specific user.
Example
Confirm that you pass the correct configuration by running the following commands
kubectl exec pod -c container whoami
kubectl exec -it pod -c container -- date -s '10 APR 2020 10:10:10'
With the second command if you specified something wrong you will receive the error
date: cannot set date: Operation not permitted
Now if you add the Capability SYS_TIME
containers:
- image: yourimage
name: yourimagename
securityContext:
runAsUser: 1010
capabilities:
add: ["SYS_TIME"]
Execute the second command again and you will see the date reflected as string.
Upvotes: 1
Related Questions
- kubernetes PodSecurityPolicy set to runAsNonRoot, container has runAsNonRoot and image has non-numeric user (appuser), cannot verify user is non-root
- What's the Kubernetes equivalent to docker --privileged?
- run container as root user
- How to restrict the privilege of kubectl command
- How to run docker image with --privileged in KubernetesPodOperator on airflow
- Kubernetes: how to run application in the container with root privileges
- Kubernetes security context runAsUser
- Kubernetes isn't allowing me to create a pod with securityContext runAsUser
- Kubernetes pod having containers of different privileges
- Allow Privileged Containers in Kubernetes on Google Container (GKE)