Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support removing NET_BIND_SERVICE permission #12199

Closed
ShuaiShao93 opened this issue Oct 15, 2024 · 11 comments
Closed

Support removing NET_BIND_SERVICE permission #12199

ShuaiShao93 opened this issue Oct 15, 2024 · 11 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@ShuaiShao93
Copy link

Some companies have constraints on pod security context that doesn't allow NET_BIND_SERVICE or using low ports. This is already supported by https://github.com/nginxinc/docker-nginx-unprivileged.

#10002

No

@ShuaiShao93 ShuaiShao93 added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 15, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 15, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@longwuyuan
Copy link
Contributor

@ShuaiShao93 your asking for a fair and reasonable thing.

But I request you consider the factors that are further from your own requirement. First aspect is that unlike a web application or a database or a message-queue etc., this project is a ingress-controller. That implies administration & infrastructure aspects like allowing traffic from outside cluster to inside the cluster. All browsers and clients that use HTTP & HTTPS use default port as 80/443. So all ingress-controllers have to use NET_BIND capabilities.

This will not change in near future and there are no resources to work on this. You can fork the project and implement your own changes. However the values file of the helm chart of this controller does provide key:value pairs to tweak default ports. Please look up the values file.

/close

@k8s-ci-robot
Copy link
Contributor

@longwuyuan: Closing this issue.

In response to this:

@ShuaiShao93 your asking for a fair and reasonable thing.

But I request you consider the factors that are further from your own requirement. First aspect is that unlike a web application or a database or a message-queue etc., this project is a ingress-controller. That implies administration & infrastructure aspects like allowing traffic from outside cluster to inside the cluster. All browsers and clients that use HTTP & HTTPS use default port as 80/443. So all ingress-controllers have to use NET_BIND capabilities.

This will not change in near future and there are no resources to work on this. You can fork the project and implement your own changes. However the values file of the helm chart of this controller does provide key:value pairs to tweak default ports. Please look up the values file.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@ShuaiShao93
Copy link
Author

ShuaiShao93 commented Oct 15, 2024

@longwuyuan I get your point, but there are kubernetes services on top of the ingress-controller pods, right? As long as the kubernetes services expose 443, we can forward the request to 8443 of the ingress-controller pods, and users' browsers should never reach the ports of the pods directly.

However the values file of the helm chart of this controller does provide key:value pairs to tweak default ports. Please look up the values file.

I tried to tweak the default ports, but it still requires NET_BIND_SERVICE because of this block: https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/Dockerfile#L71-L76

@longwuyuan
Copy link
Contributor

I don't understand what you mean by this

but there are kubernetes services on top of the ingress-controller pods, right? As long as the kubernetes services expose 443, we can forward the request to 8443 of the ingress-controller pods, and users' browsers should never reach the ports of the pods directly.

Regardless, from all previous discussions, and from all similar issues created, I understand that final decision is NET_BIND will stay. Only option is to fork project.

Apologies that this is not meeting your expectation. I can only repeat that this is infrastructure software and not a webapplication/database.

@ShuaiShao93
Copy link
Author

ShuaiShao93 commented Oct 16, 2024

I don't understand what you mean by this

When browser sends requests to a server in a kubernetes cluster, it never directly talks to the ingress-controller pod. Instead it goes through a load balancer service, and the load balancer service forwards the request to ingress-controller pod, so you can see the port and the targetPort can be different in the service below.

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx-controller
spec:
  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: 8080
  - name: https
    port: 443
    protocol: TCP
    targetPort: 8443
  type: LoadBalancer

from all similar issues created, I understand that final decision is NET_BIND will stay

Is there a link to previous discussion, if the topic I mentioned above has been discussed before?

@longwuyuan
Copy link
Contributor

longwuyuan commented Oct 16, 2024 via email

@longwuyuan
Copy link
Contributor

longwuyuan commented Oct 16, 2024 via email

@ShuaiShao93
Copy link
Author

I wonder if it requires 2 different binaries for this? Is it possible to move this block to an entrypoint.sh file, and only run it when NET_BIND is needed?

@longwuyuan
Copy link
Contributor

longwuyuan commented Oct 16, 2024 via email

@longwuyuan
Copy link
Contributor

#3668

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
Development

No branches or pull requests

3 participants