How does Kubernetes implement Linux capabilities?

Question

Linux capabilities is applied to an executable. If I add capabilities to a container, what does it mean? This is my container securityContext:

securityContext:
  runAsUser: 1008
  capabilities:
    add:
      - NET_ADMIN
      - NET_RAW

But my task can't create raw socket. So shall I apply capabilities to the executable when packing docker image?

Answer 1

As I have adviced you in comment section, I am posting it as an answer:

Starting with kernel 2.2, Linux has divided privileged processes’ privileges into distinct units, known as capabilities. These distinct units/privileges can be independently assigned and enabled for unprivileged processes introducing root privileges to them. Kubernetes users can use Linux capabilities to grant certain privileges to a process without giving it all privileges of the root user. This is helpful for improving container isolation from the host since containers no longer need to write as root — you can just grant certain root privileges to them and that’s it.

See: linux-cap-kubernetes.

Part of your code under container section should look like this:

securityContext:  
  capabilities:  
    add:
      - NET_ADMIN
      - NET_RAW

To run some capabilities (in your case perform various network-related operations) you have to run container as root. See example: capabilities-securitycontext.

Read more: linux-capabilities-securityContext.