Linux Capabilities form one of the most impactful — yet routinely overlooked — foundations of modern Linux security. Although containers, orchestrators, cloud runtimes, and even Kubernetes itself heavily rely on them, most engineers only encounter capabilities when a container throws an “Operation not permitted” error.
This article provides a full and unified deep-dive into Linux Capabilities:
their conceptual origins
inner working principles inside the Linux kernel
file capabilities and process capability sets
the complete table of 40+ capabilities
real-world usage
how capabilities work in Docker
how they work in Kubernetes SecurityContext
essential best practices for modern DevOps and SRE teams
By the end, you’ll understand exactly how capabilities protect your systems — and how to use them deliberately rather than accidentally.
sudo snap remove caddy
![[Pasted image 20251130163413.png]]
outline 0.7.3 · community-charts/community-charts
letsencrypt-prod.yaml
`apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:`
acme:
email: vladimir@dbits.lt
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
kubectl apply -f letsencrypt-prod.yaml
helm repo add community-charts https://community-charts.github.io/helm-charts
helm upgrade --install my-outline community-charts/outline -n outline -f outline.yaml
Outline.yaml
replicaCount: 1
# =========================================================
# DATABASE – встроенный PostgreSQL
# =========================================================
postgresql:
enabled: true
auth:
username: outline
password: strongpassword
database: outline
primary:
persistence:
enabled: true
size: 8Gi
# =========================================================
# REDIS
# =========================================================
redis:
enabled: true
auth:
enabled: true
master:
persistence:
enabled: true
size: 8Gi
# =========================================================
# SECRETS
# =========================================================
secretKey: "b0c5e6dad49833fa0cb7d233139304724d11a97a07c9aeb331d764c7aeb36bd1"
utilsSecret: "4c075b2e00208a795f23df50996b4d4a2b104b8ee8c8d65a99dba197f8d23449"
# =========================================================
# URL приложения
# =========================================================
url: "https://outline.thedevops.dev"
# =========================================================
# HTTPS ENFORCE
# =========================================================
web:
forceHttps: true
# =========================================================
# FILE STORAGE – LOCAL
# =========================================================
fileStorage:
mode: local
local:
persistence:
enabled: true
size: 8Gi
accessModes:
- ReadWriteOnce
# =========================================================
# INGRESS — TRAEFIK + CERT-MANAGER
# =========================================================
ingress:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: outline.thedevops.dev
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- outline.thedevops.dev
secretName: outline-tls
![[Pasted image 20251130163918.png]]