Linux capabilities is applied to an executable. If I add capabilities to a container, what does it mean? This is my container securityContext:
securityContext:
runAsUser: 1008
capabilities:
add:
- NET_ADMIN
- NET_RAW
But my task can't create raw socket. So shall I apply capabilities to the executable when packing docker image?
As I have adviced you in comment section, I am posting it as an answer:
Starting with kernel 2.2, Linux has divided privileged processes’ privileges into distinct units, known as capabilities. These distinct units/privileges can be independently assigned and enabled for unprivileged processes introducing root privileges to them. Kubernetes users can use Linux capabilities to grant certain privileges to a process without giving it all privileges of the root user. This is helpful for improving container isolation from the host since containers no longer need to write as root — you can just grant certain root privileges to them and that’s it.
See: linux-cap-kubernetes.
Part of your code under container section should look like this:
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
To run some capabilities (in your case perform various network-related operations) you have to run container as root. See example: capabilities-securitycontext.
Read more: linux-capabilities-securityContext.