Little helper to guess required linux capabilities for pods in your Kubernetes cluster.
kubectl apply -f ds.yamlOnce installed, the application will create configmaps for each containers in the cluster, named
k2a-${POD_NAME}-${CONTAINER_NAME} in the pod namespace.
# Get all configmaps
kubectl get cm --all-namespaces -l 'k8s-app=kube2allow'
# Delete generated configmaps
kubectl delete cm --all-namespaces -l 'k8s-app=kube2allow'
# Uninstall kube2allow
kubectl delete -f ds.yamlThe mapping is extracted from referenced capabilities in the man 2 page.
You can generate app/caps_mapping.json with this command:
make app/caps_mapping.jsonYou can either rebuild the image to embed this file, or mount it as a volume on /caps_mapping.json in the container.
-
This application guesses the capabilities by trapping system calls, but there is no direct mapping between syscall and required caps. Thus, it is done by parsing the
manpage, but this can lead to a broader set of capabilities than the process really requires. -
syscalls are detected at runtime, but it can happen that a container only requires capabilities during initialization. In order to ensure all capabilities have been scraped, you can restart the pods once
kube2allowis installed.