Privileged containers in Kubernetes

Let's try to create a default Pod (without privileged option enabled):

$ kubectl run non-priv --image=busybox --command -- sh -c "sleep 1d"

Exec into this container and try to use sysctl:

$ kubectl exec -it non-priv -- sh  
/ # sysctl kernel.hostname="test"
sysctl: error setting key 'kernel.hostname': Read-only file system

As you can see, setting sysctl parameters require privileges.

You can configure a container inside a Kubernetes Pod to run in privileged mode using security context. Running the container in privileged mode, giving it full access to the node's kernel.

Now, let's run a privileged container. Generate manifest file:

$ kubectl run priv --image=busybox --command --dry-run=client -o yaml >priv.yaml -- sh -c "sleep 1d"

Adjust manufest file priv.yaml:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: priv
  name: priv
spec:
  containers:
  - command:
    - sh
    - -c
    - sleep 1d
    image: busybox
    name: priv
    securityContext:
      privileged: true

Apply manifest on cluster

$ kubectl apply -f priv.yaml

Exec into this Pod and retry the above sysctl command again:

$ kubectl exec -it priv -- sh
/ # sysctl kernel.hostname="test"
kernel.hostname = test

As you can see, after adding the privileged option, the sysctl command was successful