Let say you want to prove to your security team that running a pod in Red Hat OpenShift is really removing capabilities from the running container. There is not much documentation out there which explains how to find what capabilities get stripped so I will walk you through how you can make the case.
Step 1. Choose the pod you want to inspect in OpenShift
[root@osemaster log]# oc describe pod box-1-wkxdh Name: box-1-wkxdh Namespace: box Security Policy: restricted Node: host100.rdu.salab.redhat.com/10.11.164.100 Start Time: Fri, 21 Jul 2017 16:09:35 -0400 Labels: app=box deployment=box-1 deploymentconfig=box Status: Running IP: 10.129.1.29 Controllers: ReplicationController/box-1 Containers: box: Container ID: docker://0f1596822c5b73159a37c96145d96e1b966fafb4496c630b294dff8237b2925e Image: 172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 Image ID: docker-pullable://172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984
Step 2. We see that the container runs on host100. So lets login to host100 and see if this container is running
[root@host100 ~]# docker ps | grep 84 0f1596822c5b 172.30.94.61:5000/box/box@sha256:94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 "container-entrypoint" 7 weeks ago Up 7 weeks k8s_box.caa9b8b4_box-1-wkxdh_box_80b5e05d-6e50-11e7-90e0-001a4a16016f_f37a14e0
We see that the sha 94b796d20631098724552427211e673a88f442faca3405c63bbe03db13ff8984 of the container image is matching
Step 3. Now we need to get the pid of the running container process
[root@host100 ~]# docker inspect a2ff442a9381 | grep -i Pid | head -1 "Pid": 41086,
Step 4. Lets find the CapBnd.
[root@host100 ~]# cat /proc/41086/status | grep CapBnd CapBnd: 00000000a80425fb
Step 5. We now translate that 00000000a80425fb into something readable.
[root@host100 ~]# capsh --decode=00000000a80425fb 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Step 6. So what are all capabilities?
[root@host100 ~]# capsh --decode=0x0000001fffffffff 0x0000001fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36
Step 7. That means that the following capabilities were removed on launch:
-cap_dac_read_search
-cap_linux_immutable
-cap_net_broadcast
–cap_net_admin
-cap_ipc_lock
-cap_ipc_owner
-cap_sys_module
-cap_sys_rawio
-cap_sys_ptrace
-cap_sys_pacct
–cap_sys_admin
-cap_sys_boot
-cap_sys_nice
-cap_sys_resource
-cap_sys_time
-cap_sys_tty_config
-cap_lease
-cap_audit_control
-cap_mac_override
-cap_mac_admin
-cap_syslog
-cap_wake_alarm
-cap_block_suspend