Systemd, Capabilities, and Kubernetes

In partnership with

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the top news, tools, videos, and articles in the TechOps industry.

👋 Before we begin... a big thank you to today's sponsor CODEIUM

Unlock Windsurf Editor, by Codeium.

Introducing the Windsurf Editor, the first agentic IDE. All the features you know and love from Codeium’s extensions plus new capabilities such as Cascade that act as collaborative AI agents, combining the best of copilot and agent systems. This flow state of working with AI creates a step-change in AI capability that results in truly magical moments.

IN TODAY'S EDITION

🧠 Use Case

  • Systemd, Capabilities, and Kubernetes

🚀 Top News

📽️ Videos

📚️ Resources

🛠️ TOOL OF THE DAY

notops (Sponsor) - a CLI tool to build and maintain production-ready, cloud-native platforms on AWS with Kubernetes and GitOps. 

  • Zero to Production on Day 1.

  • Automated Day 2 operations.

  • Cloud-native design cuts down your Kubernetes, AWS learning curve.

🧠 USE CASE

Systemd, Capabilities, and Kubernetes

90% of DevOps roadmaps are inaccurate, focusing only on the tools

You can't separate Linux from Kubernetes.

In fact, you can't separate Linux from DevOps.

Today's use case is a demonstration of how Linux Systemd and capabilities are related to Kubernetes in a security context.

What is Systemd?

Systemd is an init system and service manager for Linux, handling everything from the boot process to managing services and system resources in userspace (where programs run outside the Linux kernel).

It doesn’t just start and stop services—it can do so much more!

Systemd typically runs as the first process on boot (PID 1), and includes a command-line tool called systemd-analyze security, which checks if services are using security options and assigns each an “exposure” score.

Here’s a sample result:

'systemd-analyze security' output on Debian Bookworm

Based on analyzing your services, you need to tune up the security settings.

Here is the official documentation and a fantastic cheat sheet so you can find out more about security hardening.

What are Capabilities?

Capabilities in Linux are a way to split up the traditionally all-powerful root privileges into smaller, more specific permissions.

This means a process can have just the permissions it needs without full root access, enhancing security.

Currently, there are 40 capabilities available, ranging from very specific to broader permissions.

To manage capabilities, the Linux kernel defines several "sets":

typedef struct cap_data {
    uint32_t effective;
    uint32_t permitted;
    uint32_t inheritable;
} cap_data_t;

These sets include:

  • Effective: capabilities currently in use by the process.

  • Permitted: capabilities the process is allowed to use.

  • Inheritable: capabilities that can be passed on to child processes.

In addition to these, there’s the bounding set (the maximum capabilities a process can hold) and the ambient set (capabilities actively in effect for the process).

How Systemd, Capabilities, and Kubernetes Come Together

Let’s look at a real-world example of securing a PostgreSQL container in Kubernetes.

Systemd Security Check: We analyze PostgreSQL’s Systemd service with systemd-analyze security to review any security gaps and address them by limiting capabilities.

systemd-analyze security postgresql

Capabilities Restriction in Systemd: We update the PostgreSQL Systemd unit service files to modify the capabilities it can use, improving host-level security.

[Service]

ExecStart=/usr/lib/postgresql/15/bin/postgres -D /var/lib/postgresql/data

CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE

AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE

Capabilities in Kubernetes: Finally, we configure a Kubernetes Pod for PostgreSQL, specifying only the necessary capabilities at the container level.

apiVersion: v1

kind: Pod

metadata:

name: postgresql

labels:

app: postgresql

spec:

containers:

- name: postgres

image: postgres:15

ports:

- containerPort: 5432

securityContext:

capabilities:

add:

- NET_BIND_SERVICE

- DAC_OVERRIDE

readOnlyRootFilesystem: true

allowPrivilegeEscalation: false

runAsNonRoot: true

restartPolicy: Always

This gives you the ability to deploy containers in Kubernetes with precise, fine-grained permissions and broad access controls.

Remember,

DevOps is 20% building, 80% optimizing and operating.

Get the 'Day 0' basics right (especially Linux) before jumping into tools.

You may even like:

 

Looking to promote your company, product, service, or event to 19,000+ TechOps Professionals? Let's work together.