-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
4.9
-
Quality / Stability / Reliability
-
None
-
None
-
None
-
Important
-
None
-
x86_64
-
None
-
None
-
Rejected
-
None
-
None
-
If docs needed, set a value
-
None
-
None
-
None
-
None
-
None
Description of problem:
Linux capabilities configured in SCC has no effect.
Version-Release number of selected component (if applicable):
-
How reproducible:
Always
Steps to Reproduce:
1. Create new project as deployment config using image from this simple dockerfile:
FROM debian:bullseye-slim
RUN apt-get update && \
apt-get install -y libcap2-bin iputils-ping iproute2 && \
useradd uv --shell /bin/bash --create-home && \
setcap cap_net_admin+ep /bin/ip && \
setcap cap_net_raw+ep /bin/ping
CMD ["/bin/ping","google.com"]
2. Create scc using following config:
allowedCapabilities: ["*"]
defaultAddCapabilities: ["NET_RAW", "NET_ADMIN"]
requiredDropCapabilities: []
3. Apply the scc to service account
4. Apply the service account to deployment config
5. After pod is running, get inside container & execute: /bin/ip xfrm policy flush
Actual results:
RTNETLINK answers: Operation not permitted
Expected results:
ip command should work
