So far the Pods we’ve seen have all used the image
field to indicate what process Kubernetes
should run in a container. In this case, Kubernetes runs the image’s default command. If we want
to run a particular command or override the image’s defaults, there are two additional fields that
we can use:
Command
: Controls the actual command run by the imageArgs
: Controls the arguments passed to the commandDocker images have metadata associated with them that is used to store information about the image.
The image author may use this to define defaults for the command and arguments to run a container
when the user does not supply values. Docker calls the fields for commands and arguments
Entrypoint
and Cmd
respectively. The full details for this feature are too complicated to
describe here, mostly due to the fact that the docker API allows users to specify both of these
fields as either a string array or a string and there are subtle differences in how those cases are
handled. We encourage the curious to check out Docker’s documentation for this feature.
Kubernetes allows you to override both the image’s default command (docker Entrypoint
) and args
(docker Cmd
) with the Command
and Args
fields of Container
. The rules are:
Command
or Args
for a container, the defaults defined by the image
will be usedCommand
but no Args
for a container, only the supplied Command
will be
used; the image’s default arguments are ignoredArgs
, the image’s default command will be used with the arguments you
supplyCommand
and Args
, the image’s defaults will be ignored and the values
you supply will be usedHere are examples for these rules in table format
Image Entrypoint |
Image Cmd |
Container Command |
Container Args |
Command Run |
---|---|---|---|---|
[/ep-1] |
[foo bar] |
<not set> | <not set> | [ep-1 foo bar] |
[/ep-1] |
[foo bar] |
[/ep-2] |
<not set> | [ep-2] |
[/ep-1] |
[foo bar] |
<not set> | [zoo boo] |
[ep-1 zoo boo] |
[/ep-1] |
[foo bar] |
[/ep-2] |
[zoo boo] |
[ep-2 zoo boo] |
By default, Docker containers are “unprivileged” and cannot, for example, run a Docker daemon inside a Docker container. We can have fine grain control over the capabilities using cap-add and cap-drop. More details here.
The relationship between Docker’s capabilities and Linux capabilities
Docker’s capabilities | Linux capabilities |
---|---|
SETPCAP | CAP_SETPCAP |
SYS_MODULE | CAP_SYS_MODULE |
SYS_RAWIO | CAP_SYS_RAWIO |
SYS_PACCT | CAP_SYS_PACCT |
SYS_ADMIN | CAP_SYS_ADMIN |
SYS_NICE | CAP_SYS_NICE |
SYS_RESOURCE | CAP_SYS_RESOURCE |
SYS_TIME | CAP_SYS_TIME |
SYS_TTY_CONFIG | CAP_SYS_TTY_CONFIG |
MKNOD | CAP_MKNOD |
AUDIT_WRITE | CAP_AUDIT_WRITE |
AUDIT_CONTROL | CAP_AUDIT_CONTROL |
MAC_OVERRIDE | CAP_MAC_OVERRIDE |
MAC_ADMIN | CAP_MAC_ADMIN |
NET_ADMIN | CAP_NET_ADMIN |
SYSLOG | CAP_SYSLOG |
CHOWN | CAP_CHOWN |
NET_RAW | CAP_NET_RAW |
DAC_OVERRIDE | CAP_DAC_OVERRIDE |
FOWNER | CAP_FOWNER |
DAC_READ_SEARCH | CAP_DAC_READ_SEARCH |
FSETID | CAP_FSETID |
KILL | CAP_KILL |
SETGID | CAP_SETGID |
SETUID | CAP_SETUID |
LINUX_IMMUTABLE | CAP_LINUX_IMMUTABLE |
NET_BIND_SERVICE | CAP_NET_BIND_SERVICE |
NET_BROADCAST | CAP_NET_BROADCAST |
IPC_LOCK | CAP_IPC_LOCK |
IPC_OWNER | CAP_IPC_OWNER |
SYS_CHROOT | CAP_SYS_CHROOT |
SYS_PTRACE | CAP_SYS_PTRACE |
SYS_BOOT | CAP_SYS_BOOT |
LEASE | CAP_LEASE |
SETFCAP | CAP_SETFCAP |
WAKE_ALARM | CAP_WAKE_ALARM |
BLOCK_SUSPEND | CAP_BLOCK_SUSPEND |