[英]unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext (running tshark in a container/k8s pod)
I have build a docker image containing tshark
(its an image I am going to use for doing various manual debugging from a kubernetes pod).我已经构建了一个包含
tshark
的 docker 映像(我将使用该映像从 kubernetes pod 进行各种手动调试)。
I have deployed a container in kubernetes running that image.我在 kubernetes 中部署了一个运行该映像的容器。 But when I access the container and try to run
tshark
I get:但是当我访问容器并尝试运行
tshark
时,我得到:
$ kubectl exec myapp-cbd49f587-w2swx -it bash
root@myapp-cbd49f587-w2swx:/# tshark -ni any -f "test.host" -w sample.pcap -F libpcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'any'
tshark: cap_set_proc() fail return: Operation not permitted
Googling that error:谷歌搜索该错误:
https://www.weave.works/blog/container-capabilities-kubernetes/ https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/ https://www.weave.works/blog/container-capabilities-kubernetes/ https://unofficial-kubernetes.readthedocs.io/en/latest/concepts/policy/container-capabilities/
it seems I need to configure a securityContext
for my container/pod.看来我需要为我的容器/pod 配置一个
securityContext
。 In my deployment.yaml I have added:在我的 deployment.yaml 我添加了:
containers:
...
securityContext:
capabilities:
add:
- NET_ADMIN
But when I apply that deployment I get:但是当我应用该部署时,我得到:
error: error validating "deployment.yaml": error validating data: ValidationError(Deployment.spec.template.spec.securityContext): unknown field "capabilities" in io.k8s.api.core.v1.PodSecurityContext; if you choose to ignore these errors, turn validation off with --validate=false
Adding --validate=false
removes the error but also means the securityContext is ignored.添加
--validate=false
会删除错误,但也意味着 securityContext 被忽略。
What is preventing me from setting:是什么阻止我设置:
securityContext:
capabilities:
add:
- NET_ADMIN
Based on the guides I have found this should be fine.根据我发现的指南,这应该没问题。
I have also looked at (looks to be non free):我也看过(看起来是非免费的):
https://sysdig.com/blog/tracing-in-kubernetes-kubectl-capture-plugin/ https://sysdig.com/blog/tracing-in-kubernetes-kubectl-capture-plugin/
so probably the right way is to use some tool like that ( ksniff ) or setup a sidecar container .所以可能正确的方法是使用类似的工具( ksniff )或设置一个边车容器。 But I am still curious to why I get the above error.
但我仍然很好奇为什么会出现上述错误。
Looking specifically to the error, you posted only part of your manifest and looking to this we can see that you put securityContext:
in the same level as containers:
:专门查看错误,您只发布了清单的一部分,并且查看此我们可以看到您将
securityContext:
放在与containers:
相同的级别:
containers:
...
securityContext:
capabilities:
add:
- NET_ADMIN
It should be under containers:
as as written in the documentation :它应该在
containers:
如文档中所述:
To add or remove Linux capabilities for a Container, include the
capabilities
field in thesecurityContext
section of the Container manifest.要为容器添加或删除 Linux 功能,请在容器清单的
securityContext
部分中包含capabilities
字段。
Example:例子:
apiVersion: apps/v1
kind: Deployment
metadata:
name: security-context-demo
spec:
replicas: 2
selector:
matchLabels:
app: security-context-demo
template:
metadata:
labels:
app: security-context-demo
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add:
- NET_ADMIN
Linux capabilities can be added only at container level security-context, not at the pod level. Linux 功能只能在容器级别的安全上下文中添加,而不是在 pod 级别。
Not obvious here but see that the section on adding capabilities only mentions adding it to the container:这里并不明显,但看到关于添加功能的部分仅提到将其添加到容器中:
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.