cap_chown权限分析

  • cap_chown: 允许修改文件所有者

那么让我们基于k8s,透过下面几个例子来验证cap_chown的功能

1.容器以root用户运行且使用默认CAP时(14个CAP

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: api-server
spec:
  containers:
    - name: api-server
      image: xzxwl/api-server-demo:latest
EOF

测试chown可用性

$ kubectl exec -it api-server -- sh
/work # touch 111
/work # ls -l
total 0
-rw-r--r--    1 root     root             0 Nov  3 08:55 111
/work # chown 1000:1000 111
/work # ls -l
total 0
-rw-r--r--    1 1000     1000             0 Nov  3 08:55 111
/work # exit

清理测试资源

$ kubectl delete pod api-server

2.容器以root用户运行且取消所有Linux CAP

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: api-server
spec:
  containers:
    - name: api-server
      image: xzxwl/api-server-demo:latest
      securityContext:
          capabilities:
            drop:
              - ALL
EOF

测试chown可用性

$ kubectl exec -it api-server -- sh
/work # touch 111
/work # ls -l
total 0
-rw-r--r--    1 root     root             0 Nov  3 08:55 111
/work # chown 1000:1000 111
chown: 111: Operation not permitted
/work # exit

清理测试资源

$ kubectl delete pod api-server

3.容器以root用户运行且取消所有Linux CAP,只添加CAP_CHOWN

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: api-server
spec:
  containers:
    - name: api-server
      image: xzxwl/api-server-demo:latest
      securityContext:
          capabilities:
            drop:
              - ALL
            add:
              - CHOWN
EOF

测试chown可用性

$ kubectl exec -it api-server -- sh
/work # touch 111
/work # ls -l
total 0
-rw-r--r--    1 root     root             0 Nov  3 08:55 111
/work # chown 1000:1000 111
/work # ls -l
total 0
-rw-r--r--    1 1000     1000             0 Nov  4 01:48 111
/work # exit

清理测试资源

$ kubectl delete pod api-server
Copyright © weiliang 2021 all right reserved,powered by Gitbook本书发布时间: 2024-04-22 16:03:41

results matching ""

    No results matching ""