比如,我们可以通过给给容器add NET_ADMIN Capability,使得我们可以对network interface进行modify,对应的docker run命令如下:
代码语言:javascript复制$ docker run -it --rm --cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy
在Kubernetes对Pod的定义中,用户可以add/drop Capabilities在Pod.spec.containers.sercurityContext.capabilities中添加要add的Capabilities list和drop的Capabilities list。
[root@paasm1 ~]# cat pause.yaml
apiVersion: v1
kind: Pod
metadata:
name: pause
spec:
containers:
- name: pause
image: registry.paas/cmss/busybox
command: [ "sh", "-c", "sleep 1h" ]
[root@paasm1 ~]# kubectl create -f pause.yaml
pod/pause created
[root@paasm1 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
docker-paasn1 0/1 Pending 0 19d
independent-jaguar-nginx-647f7998cd-gstrj 0/1 ImagePullBackOff 0 45h
pause 1/1 Running 0 27s
r00tf0rm3 0/1 ErrImagePull 0 19d
[root@paasm1 ~]# kubectl exec pause -it sh
/ # vi
/ # date
Fri May 22 06:44:13 UTC 2020
/ # date -s 09:09
date: can't set date: Operation not permitted
Fri May 22 09:09:00 UTC 2020
/ # [root@paasm1 ~]#
Pod pause不能修改系统时间
代码语言:javascript复制[root@paasm1 ~]# cat pause1.yaml
apiVersion: v1
kind: Pod
metadata:
name: pause1
spec:
containers:
- name: pause1
image: registry.paas/cmss/busybox
command: [ "sh", "-c", "sleep 1h" ]
securityContext:
capabilities:
add: ["NET_ADMIN","SYS_TIME"]
[root@paasm1 ~]# kubectl create -f pause1.yaml
pod/pause1 created
[root@paasm1 ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
docker-paasn1 0/1 Pending 0 19d
independent-jaguar-nginx-647f7998cd-gstrj 0/1 ImagePullBackOff 0 45h
pause 1/1 Running 0 7m42s
pause1 1/1 Running 0 30s
r00tf0rm3 0/1 ErrImagePull 0 19d
[root@paasm1 ~]# kubectl exec pause1 -it sh
/ # date
Fri May 22 01:13:12 UTC 2020
/ # date -s 20:20
Fri May 22 20:20:00 UTC 2020
/ # date
Fri May 22 20:20:01 UTC 2020
/ # [root@paasm1 ~]#
Pod pause1可以修改系统时间
