Which PID is using a PORT inside a k8s pod without net tools Which PID is using a PORT inside a k8s pod without net tools docker docker

Which PID is using a PORT inside a k8s pod without net tools


The issue is solved by adding the POSIX capability: CAP_SYS_PTRACE

I'm my case the container are under kubernetes orchestration.

this reference explains about kubectl and POSIX Capabilities

So I have

root@jitsi-55584f98bf-6cwpn:/# cat /proc/1/status | grep CapCapInh: 00000000a80425fbCapPrm: 00000000a80425fbCapEff: 00000000a80425fbCapBnd: 00000000a80425fbCapAmb: 0000000000000000

So I careful read the POSIX Capabilities Manual. But even adding CAP_SYS_ADMIN, the PID does not appear on netstat. So I tested all capabilities. CAP_SYS_PTRACE is The Chosen One

root@jitsi-65c6b5d4f7-r546h:/# cat /proc/1/status | grep CapCapInh: 00000000a80c25fbCapPrm: 00000000a80c25fbCapEff: 00000000a80c25fbCapBnd: 00000000a80c25fbCapAmb: 0000000000000000

So here my deployment spec change:

...spec:  ...  template:    ...    spec:      ...      containers:        ...        securityContext:          capabilities:            add:            - SYS_PTRACE...

Yet I don't know what security reasons selinux use to do it. But for now it's good enough for me.

References: