SYS_TIME capability now working in kubernetes

Question

When I created a pod with below security context having permission to change system time am getting error

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
  namespace: default
spec:
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    securityContext:
     runAsUser: 1010
     capabilities:
        add: ["SYS_TIME"]
    name: ubuntu

I am getting error that cant set date operation not permitted.

master $ kubectl create -f ubu.yml
pod/ubuntu-sleeper created
master $ kubectl exec -it ubuntu-sleeper -- date -s '19 APR 2012 11:14:00'
date: cannot set date: Operation not permitted
Thu Apr 19 11:14:00 UTC 2012
command terminated with exit code 1
master $

score 4 · Accepted Answer · answered May 05 '20 at 17:20

4

To change system time, you will have to run the container as root:

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
  namespace: default
spec:
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    securityContext:
     capabilities:
        add: ["SYS_TIME"]
    name: ubuntu

answered May 05 '20 at 17:20

Fritz Duchardt

11,026
4
41
60

Any clue why I cannot run as non-privileged user in this case? It looks like it was possible in k8s lower than 1.21 – Jakub Rak Apr 21 '22 at 13:56

score 0 · Answer 2 · answered Dec 08 '21 at 18:19

0

Should work if you move the user up to the pod level

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-sleeper
  namespace: default
spec:
  securityContext:
    runAsUser: 1010
  containers:
  - command:
    - sleep
    - "4800"
    image: ubuntu
    name: ubuntu-sleeper
    securityContext:
      capabilities:
        add: ["SYS_TIME"]

answered Dec 08 '21 at 18:19

Glen WJ

1

no, cause then container just inherits the same 1010 from pod level anyway – siwasaki Dec 21 '21 at 17:46

SYS_TIME capability now working in kubernetes

2 Answers2

Linked