Kubernetes对Container Capabilities的支持

相信玩过docker的同学,都对Docker Container Capability有过了解。我曾经在项目中因为修改网卡配置权限问题,需要配置容器的Capabilities(NET_ADMIN),当时做过一些研究。今天突然有个同事问我,在Kubernetes中怎么配置容器的Capabilities呢?本文就全面介绍一下这方面的内容。

Docker Container Capabilities

在docker run命令中,我们可以通过--cap-add--cap-drop来给容器添加linux Capabilities。下面表格中的列出的Capabilities是docker默认给容器添加的,用户可以通过--cap-drop去除其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability Description
SETPCAPCAP_SETPCAPModify process capabilities.
MKNODCAP_MKNODCreate special files using mknod(2).
AUDIT_WRITECAP_AUDIT_WRITEWrite records to kernel auditing log.
CHOWNCAP_CHOWNMake arbitrary changes to file UIDs and GIDs (see chown(2)).
NET_RAWCAP_NET_RAWUse RAW and PACKET sockets.
DAC_OVERRIDECAP_DAC_OVERRIDEBypass file read, write, and execute permission checks.
FOWNERCAP_FOWNERBypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
FSETIDCAP_FSETIDDon’t clear set-user-ID and set-group-ID permission bits when a file is modified.
KILLCAP_KILLBypass permission checks for sending signals.
SETGIDCAP_SETGIDMake arbitrary manipulations of process GIDs and supplementary GID list.
SETUIDCAP_SETUIDMake arbitrary manipulations of process UIDs.
NET_BIND_SERVICECAP_NET_BIND_SERVICEBind a socket to internet domain privileged ports (port numbers less than 1024).
SYS_CHROOTCAP_SYS_CHROOTUse chroot(2), change root directory.
SETFCAPCAP_SETFCAPSet file capabilities.

下面表格中列出的Capabilities是docker默认删除的Capabilities,用户可以通过--cap-add添加其中一个或者多个。

Docker’s capabilitiesLinux capabilitiesCapability Description
SYS_MODULECAP_SYS_MODULELoad and unload kernel modules.
SYS_RAWIOCAP_SYS_RAWIOPerform I/O port operations (iopl(2) and ioperm(2)).
SYS_PACCTCAP_SYS_PACCTUse acct(2), switch process accounting on or off.
SYS_ADMINCAP_SYS_ADMINPerform a range of system administration operations.
SYS_NICECAP_SYS_NICERaise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
SYS_RESOURCECAP_SYS_RESOURCEOverride resource Limits.
SYS_TIMECAP_SYS_TIMESet system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.
SYS_TTY_CONFIGCAP_SYS_TTY_CONFIGUse vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.
AUDIT_CONTROLCAP_AUDIT_CONTROLEnable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.
MAC_OVERRIDECAP_MAC_OVERRIDEAllow MAC configuration or state changes. Implemented for the Smack LSM.
MAC_ADMINCAP_MAC_ADMINOverride Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).
NET_ADMINCAP_NET_ADMINPerform various network-related operations.
SYSLOGCAP_SYSLOGPerform privileged syslog(2) operations.
DAC_READ_SEARCHCAP_DAC_READ_SEARCHBypass file read permission checks and directory read and execute permission checks.
LINUX_IMMUTABLECAP_LINUX_IMMUTABLESet the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.
NET_BROADCASTCAP_NET_BROADCASTMake socket broadcasts, and listen to multicasts.
IPC_LOCKCAP_IPC_LOCKLock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).
IPC_OWNERCAP_IPC_OWNERBypass permission checks for operations on System V IPC objects.
SYS_PTRACECAP_SYS_PTRACETrace arbitrary processes using ptrace(2).
SYS_BOOTCAP_SYS_BOOTUse reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
LEASECAP_LEASEEstablish leases on arbitrary files (see fcntl(2)).
WAKE_ALARMCAP_WAKE_ALARMTrigger something that will wake up the system.
BLOCK_SUSPENDCAP_BLOCK_SUSPENDEmploy features that can block system suspend.

比如,我们可以通过给给容器add NET_ADMIN Capability,使得我们可以对network interface进行modify,对应的docker run命令如下:

$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy

Kubernetes SecurityContext

在Kubernetes对Pod的定义中,用户可以add/drop Capabilities在Pod.spec.containers.sercurityContext.capabilities中添加要add的Capabilities list和drop的Capabilities list。

比如,我要添加NET_ADMIN Capability,删除KILL Capability,则对应的Pod定义如下:

apiVersion: v1
kind: Pod
metadata:
  name: hello-world
spec:
  containers:
  - name: friendly-container
    image: "alpine:3.4"
    command: ["/bin/echo", "hello", "world"]
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
        drop:
        - KILL

总结

Kubernetes通过在Pod.spec.containers.sercurityContext.capabilities中配置容器待add和drop的Capabilities,最终借助docker container Capabilities的能力,完成容器的Capabilities权限控制。

相关推荐
<p> 需要学习Windows系统YOLOv4的同学请前往《Windows版YOLOv4目标检测实战:原理与源码解析》, </p> <p> 课程链接 https://edu.csdn.net/course/detail/29865 </p> <h3> <span style="color:#3598db;">【为什么要学习这门课】</span> </h3> <p> <span>Linux</span>创始人<span>Linus Torvalds</span>有一句名言:<span>Talk is cheap. Show me the code. </span><strong><span style="color:#ba372a;">冗谈不够,放码过来!</span></strong> </p> <p> <span> </span>代码阅读是从基础到提高的必由之路。尤其对深度学习,许多框架隐藏了神经网络底层的实现,只能在上层调包使用,对其内部原理很难认识清晰,不利于进一步优化和创新。 </p> <p> YOLOv4是最近推出的基于深度学习的端到端实时目标检测方法。 </p> <p> YOLOv4的实现darknet是使用C语言开发的轻型开源深度学习框架,依赖少,可移植性好,可以作为很好的代码阅读案例,让我们深入探究其实现原理。 </p> <h3> <span style="color:#3598db;">【课程内容与收获】</span> </h3> <p> 本课程将解析YOLOv4的实现原理和源码,具体内容包括: </p> <p> - YOLOv4目标检测原理<br /> - 神经网络及darknet的C语言实现,尤其是反向传播的梯度求解和误差计算<br /> - 代码阅读工具及方法<br /> - 深度学习计算的利器:BLAS和GEMM<br /> - GPU的CUDA编程方法及在darknet的应用<br /> - YOLOv4的程序流程 </p> <p> - YOLOv4各层及关键技术的源码解析 </p> <p> 本课程将提供注释后的darknet的源码程序文件。 </p> <h3> <strong><span style="color:#3598db;">【相关课程】</span></strong> </h3> <p> 除本课程《YOLOv4目标检测:原理与源码解析》外,本人推出了有关YOLOv4目标检测的系列课程,包括: </p> <p> 《YOLOv4目标检测实战:训练自己的数据集》 </p> <p> 《YOLOv4-tiny目标检测实战:训练自己的数据集》 </p> <p> 《YOLOv4目标检测实战:人脸口罩佩戴检测》<br /> 《YOLOv4目标检测实战:中国交通标志识别》 </p> <p> 建议先学习一门YOLOv4实战课程,对YOLOv4的使用方法了解以后再学习本课程。 </p> <h3> <span style="color:#3598db;">【YOLOv4网络模型架构图】</span> </h3> <p> 下图由白勇老师绘制 </p> <p> <img alt="" src="https://img-bss.csdnimg.cn/202006291526195469.jpg" /> </p> <p>   </p> <p> <img alt="" src="https://img-bss.csdnimg.cn/202007011518185782.jpg" /> </p>
<p> 欢迎参加英特尔® OpenVINO™工具套件初级课程 !本课程面向零基础学员,将从AI的基本概念开始,介绍人工智能与视觉应用的相关知识,并且帮助您快速理解英特尔® OpenVINO™工具套件的基本概念以及应用场景。整个课程包含了视频的处理,深度学习的相关知识,人工智能应用的推理加速,以及英特尔® OpenVINO™工具套件的Demo演示。通过本课程的学习,将帮助您快速上手计算机视觉的基本知识和英特尔® OpenVINO™ 工具套件的相关概念。 </p> <p> 为保证您顺利收听课程参与测试获取证书,还请您于<strong>电脑端</strong>进行课程收听学习! </p> <p> 为了便于您更好的学习本次课程,推荐您免费<strong>下载英特尔® OpenVINO™工具套件</strong>,下载地址:https://t.csdnimg.cn/yOf5 </p> <p> 收听课程并完成章节测试,可获得本课程<strong>专属定制证书</strong>,还可参与<strong>福利抽奖</strong>,活动详情:https://bss.csdn.net/m/topic/intel_openvino </p> <p> 8月1日-9月30日,学习完成【初级课程】的小伙伴,可以<span style="color:#FF0000;"><strong>免费学习【中级课程】</strong></span>,中级课程免费学习优惠券将在学完初级课程后的7个工作日内发送至您的账户,您可以在:<a href="https://i.csdn.net/#/wallet/coupon">https://i.csdn.net/#/wallet/coupon</a>查询优惠券情况,请大家报名初级课程后尽快学习哦~ </p> <p> <span style="font-size:12px;">请注意:点击报名即表示您确认您已年满18周岁,并且同意CSDN基于商务需求收集并使用您的个人信息,用于注册OpenVINO™工具套件及其课程。CSDN和英特尔会为您定制最新的科学技术和行业信息,将通过邮件或者短信的形式推送给您,您也可以随时取消订阅不再从CSDN或Intel接收此类信息。 查看更多详细信息请点击CSDN“<a href="https://passport.csdn.net/service">用户服务协议</a>”,英特尔“<a href="https://www.intel.cn/content/www/cn/zh/privacy/intel-privacy-notice.html?_ga=2.83783126.1562103805.1560759984-1414337906.1552367839&elq_cid=1761146&erpm_id=7141654/privacy/us/en/">隐私声明</a>”和“<a href="https://www.intel.cn/content/www/cn/zh/legal/terms-of-use.html?_ga=2.84823001.1188745750.1560759986-1414337906.1552367839&elq_cid=1761146&erpm_id=7141654/privacy/us/en/">使用条款</a>”。</span> </p> <p> <br /> </p>
©️2020 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页