Which PID is using a PORT inside a k8s pod without net tools
The issue is solved by adding the POSIX capability: CAP_SYS_PTRACE
I'm my case the container are under kubernetes orchestration.
this reference explains about kubectl
and POSIX Capabilities
So I have
root@jitsi-55584f98bf-6cwpn:/# cat /proc/1/status | grep CapCapInh: 00000000a80425fbCapPrm: 00000000a80425fbCapEff: 00000000a80425fbCapBnd: 00000000a80425fbCapAmb: 0000000000000000
So I careful read the POSIX Capabilities Manual. But even adding CAP_SYS_ADMIN
, the PID
does not appear on netstat
. So I tested all capabilities. CAP_SYS_PTRACE
is The Chosen One
root@jitsi-65c6b5d4f7-r546h:/# cat /proc/1/status | grep CapCapInh: 00000000a80c25fbCapPrm: 00000000a80c25fbCapEff: 00000000a80c25fbCapBnd: 00000000a80c25fbCapAmb: 0000000000000000
So here my deployment spec change:
...spec: ... template: ... spec: ... containers: ... securityContext: capabilities: add: - SYS_PTRACE...
Yet I don't know what security reasons selinux
use to do it. But for now it's good enough for me.
References: