docker - 从 Kubernetes 中部署的容器执行跟踪路由时不允许操作 [Linux 功能]

Question

为了理解 Kubernetes 中的安全上下文和功能，我创建了以下 pod 描述:

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: busy
    image: busybox
    command:
     - sleep
     - "3600"
    securityContext:
      runAsUser: 2000
      capabilities : 
        add: ["NET_ADMIN", "SYS_TIME"]

我在哪里添加 NET_ADMIN 和 SYS_TIME 功能。
鉴于 Linux 功能手册页:
http://man7.org/linux/man-pages/man7/capabilities.7.html
我希望能够执行跟踪路由或设置日期:

$ kubectl exec -it app -- traceroute google.fr
traceroute: socket: Operation not permitted
command terminated with exit code 1

$ kubectl exec -it app -- /bin/sh date --set="10:00:00"
date: can't set date: Operation not permitted

由于设置了正确的功能，我发现这些操作是不被允许的，这很奇怪。这实际上是预期的吗？

Answer 1

在您的示例中，您使用的是 Busybox .

Coming in somewhere between 1 and 5 Mb in on-disk size (depending on the variant), BusyBox is a very good ingredient to craft space-efficient distributions. BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system.

我试图在许多不同的场景中实现你想要的。老实说，你选择测试的例子 securityContext这里不是最好的。我会发布非常详细的信息为什么。

要在busybox 上运行traceroute 或设置日期，您需要正确的 privileges .如果您将默认的 busybox pod 与 root 一起使用如下例所示的特权 它将按预期工作。

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
  - name: busy
    image: busybox
    command:
     - sleep
     - "3600"

$ kubectl exec -ti app -- traceroute bbc.com
traceroute to bbc.com (151.101.128.81), 30 hops max, 46 byte packets
 1  10.32.1.1 (10.32.1.1)  0.006 ms  0.007 ms  0.003 ms
 2  216.239.48.36 (216.239.48.36)  5.476 ms  216.239.48.74 (216.239.48.74)  5.361 ms  216.239.48.36 (216.239.48.36)  4.669 ms
 ...
$ kubectl exec -ti app -- ping bbc.com
PING bbc.com (151.101.0.81): 56 data bytes
64 bytes from 151.101.0.81: seq=0 ttl=54 time=6.246 ms
64 bytes from 151.101.0.81: seq=1 ttl=54 time=6.081 ms

要运行 traceroute，您需要 sudo特权`。有关详细信息，请查看有关 traceroute on busybox 的文档.

正如 Kubernetes documentation regarding securityContext 中提到的, 在您的 YAML 配置中，您已设置:

echo 'apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  securityContext:
    runAsUser: 1000 ## All containers in this pod will be run as user 1000
  containers:
  - name: busy
    image: busybox
    command:
     - sleep
     - "3600"
    securityContext:
      runAsUser: 2000 ## as you specified here, as default you will enter to this container as user with ID 2000
      capabilities : 
        add: ["NET_ADMIN", "SYS_TIME"]

在上面的例子中，你设置了 runAsUser: 1000这意味着这个 pod 中的每个容器，默认登录将作为用户 1000。
下 container spec , 您已设置 runAsUser: 2000这意味着这个特定的容器，默认情况下将以用户 2000 登录。

解释谁是 user 1000请查收 this docs .总之这个数字是

Notice how the root user has the UID of 0. Most Linux distributions reserve the first 100 UIDs for system use. New users are assigned UIDs starting from 500 or 1000. For example, new users in Ubuntu start from 1000

接下来我要提的是 Linux capabilities :

BusyBox 的输出:

$ kubectl exec -ti app /bin/sh
/ # capsh --print
/bin/sh: capsh: not found

来自 Ubuntu 的输出:

$ kubectl exec -ti ubuntu /bin/bash
root@ubuntu:/# cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
...
root@ubuntu:/# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

如果你想使用能力，你不会使用 Busybox 来实现它.如果您想了解更多有关 traceroute 的信息对于linxu，请查看 this link .

作为使用 traceroute 的最后一次测试我在容器中创建了随机用户。

Ubuntu (默认的 ubuntu 镜像没有 traceroute，需要安装它。 apt-get update 更新存储库，然后 apt-get install traceroute :

$ kubectl exec -ti ubuntu /bin/sh
# whoami
root
# traceroute bbc.com
traceroute to bbc.com (151.101.0.81), 30 hops max, 60 byte packets
 1  10.32.1.1 (10.32.1.1)  0.032 ms  0.008 ms  0.007 ms
 2  209.85.253.197 (209.85.253.197)  6.294 ms 216.239.48.74 (216.239.48.74)  5.613 ms 216.239.48.36 (216.239.48.36)  5.335 ms
# useradd -m test    
# passwd test
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# su test
$ whoami
test
$ id  
uid=1000(test) gid=1000(test) groups=1000(test)
$ traceroute bbc.com
traceroute to bbc.com (151.101.64.81), 30 hops max, 60 byte packets
 1  10.32.1.1 (10.32.1.1)  0.034 ms  0.008 ms  0.008 ms
 2  216.239.48.36 (216.239.48.36)  5.515 ms 216.239.51.111 (216.239.51.111)  5.494 ms 216.239.48.36 (216.239.48.36)  5.591 ms

忙线:

$ kubectl exec -ti app /bin/sh
/ # whoami
root
/ # traceroute bbc.com
traceroute to bbc.com (151.101.192.81), 30 hops max, 46 byte packets
 1  10.32.1.1 (10.32.1.1)  0.005 ms  0.006 ms  0.003 ms
 2  216.239.48.36 (216.239.48.36)  5.453 ms  216.239.48.74 (216.239.48.74)  4.812 ms  209.85.252.4 (209.85.252.4)  6.787 ms
/ # adduser test
Changing password for test
New password:
Retype password:
passwd: password for test changed by root
/ # su test
/ $ whoami
test
/ $ id
uid=1000(test) gid=1000(test) groups=1000(test)
/ $ traceroute bbc.com
traceroute: socket: Operation not permitted

简而言之，执行 traceroute在 Busybox你需要有 root特权。在 ubuntu 上运行 traceroute您必须预先安装 traceroute 命令。

关于容器内更改日期，请查看 this tread .