Closed maigl closed 1 year ago
.. I found a solution that works for me: I was able to grant the required permissions by setting the needed capabilities directly on newuidmap and newgidmap
setcap CAP_SETUID+eip /usr/bin/newuidmap
setcap CAP_SETGID+eip /usr/bin/newgidmap
within my Dockerfile.
Beware: You also need to add the capabilities to all 'calling' binaries in the call stack, e.g.
# we need to set SETUID and SETGID capabilities
# and make sure that it's inherited in all calling binaries.
RUN setcap CAP_SETUID+eip /usr/bin/newuidmap \
&& setcap CAP_SETGID+eip /usr/bin/newgidmap \
&& setcap CAP_SETGID,CAP_SETUID+eip /usr/bin/img \
&& setcap CAP_SETGID,CAP_SETUID+eip /usr/bin/bash \
...
.. and after you set the capabilities you cannot copy or move the files anymore, otherwise the capabilities will get lost.
Hi,
I was able to run
img
successfully. But now my company private-cloud kubernetes cluster provider changed the PSP and enforces:The main reason seems to be to not allow
sudo
and other dangerous things inside the container.. And nowimg
does not work anymore and gives me the following error:Do I have any chance to make
img
work when privilege escalation is explicitly not allowed ?