I am running a code which opens a raw socket inside a docker container with kubernetes as the orchestrator.
Following is my sample code:
#include <stdio.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <errno.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
int main (void)
{
//Create a raw socket
int s = socket (AF_INET, SOCK_RAW, IPPROTO_SCTP);
if(s == -1)
{
perror("Failed to create socket");
exit(1);
}
}
On running the code as a non-root user in my container/pod, I got this error.
./rawSocTest
Failed to create socket: Operation not permitted
This is obvious as it requires root level privileges to open a raw socket. This I corrected by setting capability cap_net_raw.
getcap rawSocTest
rawSocTest = cap_net_raw+eip
Now when I run it again. I am getting a different error.
./rawSocTest
bash: ./rawSocTest: Permission denied
As per my understanding, setting the capability should have fixed my issue. Am I missing something here? or Is this a known limitation of container?
Thanks in advance.
I solved it. I need to set capabilities in the container's security context section of the kubernetes deployment. I added NET_RAW capability to allow raw socket creation. I was under the impression that just adding capability cap_net_raw to the process while building would suffice. But my understanding turns out to be wrong.
I did some study and cleaned up the deployment solution. I added NET_RAW in the allowed capability section of my pod security policy. Then created a role and rolebinding. Through rolebinding linked it to the service account in the namespace where my pod will be deployed. Then used this serviceAccount in the pod deployment. Not sure if this is a good solution.