OpenShift Seccomp – Securing Containers by Stripping Capabilities

Let say you want to prove to your security team that running a pod in Red Hat OpenShift is really removing capabilities from the running container.  There is not much documentation out there which explains how to find what capabilities get stripped so I will walk you through how you can make the case.

Step 1. Choose the pod you want to inspect in OpenShift

Step 2. We see that the container runs on host100. So lets login to host100 and see if this container is running

We see that the sha 94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 of the container image is matching

Step 3. Now we need to get the pid of the running container process

Step 4. Lets find the CapBnd.

Step 5. We now translate that 00000000a80425fb into something readable.

Step 6. So what are all capabilities?

Step 7. That means that the following capabilities were removed on launch:

-cap_dac_read_search
-cap_linux_immutable
-cap_net_broadcast
cap_net_admin
-cap_ipc_lock
-cap_ipc_owner
-cap_sys_module
-cap_sys_rawio
-cap_sys_ptrace
-cap_sys_pacct
cap_sys_admin
-cap_sys_boot
-cap_sys_nice
-cap_sys_resource
-cap_sys_time
-cap_sys_tty_config
-cap_lease
-cap_audit_control
-cap_mac_override
-cap_mac_admin
-cap_syslog
-cap_wake_alarm
-cap_block_suspend

Leave a Reply

Your email address will not be published. Required fields are marked *

*


Hit Counter provided by laptop reviews