Why is CRI-O allowing CAP_ prefix for capabilities? #8882

penrik · 2025-01-02T15:22:20Z

penrik
Jan 2, 2025

We received manifests from another team running CRI-O in their cluster, while we are using containerd. When we deployed their manifests, all hell broke loose.

We discovered that the team using CRI-O had under securityContext specified capabilities with the CAP_ prefix, which does not work in containerd.

According to the Kubernetes documentation:

Note:
Linux capability constants have the form CAP_XXX. However, when you list capabilities in your container manifest, you must omit the CAP_ portion of the constant. For example, to add CAP_SYS_TIME, include SYS_TIME in your list of capabilities.

Source: Kubernetes Documentation

So, what is up with this? Why does CRI-O allow the CAP_ prefix for capabilities, while containerd does not?

haircommander · 2025-01-02T15:53:54Z

haircommander
Jan 2, 2025
Maintainer

my understanding is this was inherited from docker, which is codified in the OCI spec. there's a lot of background and history here, but my understanding is last we talked about it containerd was going to add support for CAP_ prefix. i don't believe CRI-O is in the wrong here.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Why is CRI-O allowing CAP_ prefix for capabilities? #8882

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Why is CRI-O allowing CAP_ prefix for capabilities? #8882

Uh oh!

penrik Jan 2, 2025

Replies: 1 comment

Uh oh!

haircommander Jan 2, 2025 Maintainer

penrik
Jan 2, 2025

haircommander
Jan 2, 2025
Maintainer