I am doing some security research on Kubernetes and I found something still mysterious to me, concerning capabilities.
Example of simple pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod-httpd
spec:
containers:
- name: my-pod-httpd-c1
image: httpd:2.4
command: ["/bin/sh"]
args: ["-c", 'sleep 60m']
imagePullPolicy: IfNotPresent
name: httpd
restartPolicy: Always
By default, in the container (Running with UID 0):
cat /proc/1/status | grep Cap
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 00000000a80425fb
With this pod, I try to add a capability (SETUID) but also running with specific UID/GID:
apiVersion: v1
kind: Pod
metadata:
name: my-pod-httpd-2
spec:
containers:
- name: my-pod-httpd-2-c1
image: httpd:2.4
command: ["/bin/sh"]
args: ["-c", 'sleep 60m']
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 33
runAsGroup: 33
capabilities:
add: ["SETUID"]
name: httpd
restartPolicy: Always
But, when I checked the capabilities, here what I get:
cat /proc/1/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Why is my added capability not here and everything has been dropped? Any idea?