Running jcmd in k8 pod, permission denied or unable to open socket file

Question

For pod with java application there is security context:

spec:
  securityContext:
    runAsUser: 888
    runAsGroup: 888
    fsGroup: 888

Deployment manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: springboot-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: springboot-demo
  template:
    metadata:
      labels:
        app: springboot-demo
    spec:
      securityContext:
        runAsUser: 888
        runAsGroup: 888
      containers:
        - name: springboot-demo
          image: k8s.192.168.20.15.nip.io:5443/springboot-demo:8.0.0
          resources:
            limits:
              memory: "1024Mi"
              cpu: "1000m"
          ports:
            - containerPort: 9000
---
apiVersion: v1
kind: Service
metadata:
  name: springboot-demo
spec:
  type: NodePort
  selector:
    app: springboot-demo
  ports:
    - port: 9000
      targetPort: 9000

If I enter the container and run

jcmd GC.heap_dump

-> permission denied pic 1

If I enter as a root and run

jcmd GC.heap_dump

-> unable to open socket file /proc/1/root/tmp/.java_pid1 ...pic2

If I delete security context and run jcmd GC.heap_dump -> it works ok.

What could be the problem?

Answer 1

I think this can have something to do with linux capabilies: https://linux-audit.com/linux-capabilities-101/

I would check which capabilies are available to sh/bash process started by 888 user, and compare those bash/sh started by root.