--cap-add = NET_ADMIN和.yml中的添加功能之间的区别 [英] Difference between --cap-add=NET_ADMIN and add capabilities in .yml
问题描述
我对功能有疑问,也有问题.
i have a question and a problem about capabilities.
为什么运行docker run --cap-add=NET_ADMIN ...
时我的程序可以工作?
Why my program work when i run docker run --cap-add=NET_ADMIN ...
?
如果我使用文件.yml运行程序,则它不起作用:
And it's doesn't work if i run my program with file .yml which is:
containers:
- name: snake
image: docker.io/kelysa/snake:lastest
imagePullPolicy: Always
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN","NET_RAW"]
使用--cap-add运行docker和运行具有相同功能的pod之间有什么区别?
What is the difference between run docker with --cap-add and run a pod with the same capabilities ?
推荐答案
As described by David Maze and According to the docker docs:Runtime privilege and Linux capabilities
默认情况下,Docker容器是无特权的",并且例如不能在Docker容器内运行Docker守护程序.这是因为默认情况下,不允许容器访问任何设备,但是授予特权"容器访问所有设备的权限(请参阅cgroups设备上的文档).
By default, Docker containers are "unprivileged" and cannot, for example, run a Docker daemon inside a Docker container. This is because by default a container is not allowed to access any devices, but a "privileged" container is given access to all devices (see the documentation on cgroups devices).
--cap-add: Add Linux capabilities,
--cap-drop: Drop Linux capabilities,
--privileged=false: Give extended privileges to this container
--device=[]: Allows you to run devices inside the container without the --privileged flag.
当操作员执行docker run --privileged
时,Docker将启用对主机上所有设备的访问,并在AppArmor或SELinux中进行一些配置,以允许容器对主机的访问几乎与在容器上外部容器上运行的进程相同.主持人.
When the operator executes docker run --privileged
, Docker will enable access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host.
除了--privileged,操作员还可以使用--cap-add和--cap-drop对功能进行精细控制.
In addition to --privileged, the operator can have fine grain control over the capabilities using --cap-add and --cap-drop.
您可以找到两种功能:
- 具有默认功能列表的Docker.
- 默认情况下不授予的功能,可以添加.
此命令docker run --cap-add=NET_ADMIN
将应用其他Linux功能.
This command docker run --cap-add=NET_ADMIN
will apply additional linux capibilities.
根据文档:
要与网络堆栈进行交互,应使用--cap-add = NET_ADMIN而不是使用--privileged来修改网络接口.
For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces.
注意:
为减少syscall攻击,优良作法是只给容器提供必需的特权.另请参阅启用Pod安全策略.
To reduce syscall attacks it's good practice to give the container only required privileges. Please refer also to Enabling Pod Security Policies.
可以从容器中使用:
securityContext:
capabilities:
drop: ["all"]
add: ["NET_BIND"]
要查看容器内部已应用的功能,可以使用:
getpcaps process_id or $(pgrep your-proces_name)
列出和探索您使用的Linux功能capsh --print
To see applied capibilities inside your container you can use:
getpcaps process_id or $(pgrep your-proces_name)
to list and explore linux capibilities you an use capsh --print
资源:
- Linux capibilities,
- docker labs,
- capsh
- Configuring Container Capabilities with Kubernetes
- What is a Pod Security Policy
希望获得帮助.
这篇关于--cap-add = NET_ADMIN和.yml中的添加功能之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!