1. Masaya Aoyama
CyberAgent adtech studio
MasayaAoyama @amsy810
Based on 「Keynote: Running with Scissors – Liz Rice」
Capabilities and Privileges
+ KubeCon Recap
@Docker Meetup Tokyo #23
2. 連載「今こそ始めよう!Kubernetes 入門」 @ThinkIT
Japan Container Days v18.04 Keynote 登壇
CKA (CKA-1700-0138-0100)、CKAD (CKAD-1800-0002-0100)
OpenStack Active Technical Contributor
Masaya Aoyama (@amsy810)
Infrastructure Engineer
4. Capabilities and Privileges
Index >
Running images as root user
What is Capabilities
Add Capabilities
At the Kubernetes environment and PodSecurityPolicy
We needs more isolation?
6. What is Capabilities
page
06
# root ではあるが一部の権限は与えられていない
$ docker exec -it kubecon hostname changed-name
hostname: you must be root to change the host name
# デフォルトで与えられる Capabilities
$ docker exec -it kubecon capsh --print | grep Current
Current: =
cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_
bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
参考: Man page of CAPABILITIES
https://linuxjm.osdn.jp/html/LDP_man-pages/man7/capabilities.7.html