Capabilities checking not working in kubernetes pod with shareProcessNamespace enabled

Question

Capabilities checking not working in kubernetes pod with shareProcessNamespace enabled

Opened this issue 2 months ago · 3 comments

In entrypoint /docker-entrypoint.sh, capabilities are checked on process with PID 1 with 'getpcaps 1'. However when running in a kubernetespod with shareProcessNamespace enabled (for log rotating purposes), the running process does not hold PID 1.
Could you check against current PID instead of PID 1?
Thanks

Answer 1 · 2024-11-06T16:21:03.000Z

It looks like chaning getpcaps 1 to getpcaps 0 is enough, as that uses the current process. Sound OK to you?

Answer 2 · 2024-11-06T16:24:33.000Z

It sounds good to me

Answer 3 · 2024-11-06T18:50:43.000Z

I've pushed new images with this change.