OpenShift – Securing Containers by Stripping Capabilities

Let say you want to prove to your security team that running a pod in Red Hat OpenShift is really removing capabilities from the running container.  There is not much documentation out there which explains how to find what capabilities get stripped so I will walk you through how you can make the case.

Step 1. Choose the pod you want to inspect in OpenShift

[root@osemaster log]# oc describe pod box-1-wkxdh

Name: box-1-wkxdh

Namespace: box

Security Policy: restricted


Start Time: Fri, 21 Jul 2017 16:09:35 -0400

Labels: app=box



Status: Running


Controllers: ReplicationController/box-1
    Container ID: docker://0f1596822c5b73159a37c96145d96e1b966fafb4496c630b294dff8237b2925e
    Image ID: docker-pullable://

Step 2. We see that the container runs on host100. So lets login to host100 and see if this container is running

[root@host100 ~]# docker ps | grep 84
0f1596822c5b    "container-entrypoint"   7 weeks ago         Up 7 weeks                              k8s_box.caa9b8b4_box-1-wkxdh_box_80b5e05d-6e50-11e7-90e0-001a4a16016f_f37a14e0

We see that the sha 94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 of the container image is matching

Step 3. Now we need to get the pid of the running container process

[root@host100 ~]# docker inspect a2ff442a9381 | grep -i Pid | head -1

            "Pid": 41086,

Step 4. Lets find the CapBnd.

[root@host100 ~]# cat /proc/41086/status | grep CapBnd
CapBnd:	00000000a80425fb

Step 5. We now translate that 00000000a80425fb into something readable.

[root@host100 ~]# capsh --decode=00000000a80425fb

Step 6. So what are all capabilities?

[root@host100 ~]# capsh --decode=0x0000001fffffffff

Step 7. That means that the following capabilities were removed on launch: