-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress won't work without NET_BIND_SERVICE cap and allow-privilege-escalation for v0.20.0 or higer #3668
Comments
Same problem here... anyone? |
That is not possible. We must be able to bind to any port for the TCP/UDP feature. |
Closing. Having NET_BIND_SERVICE as a requirement is something we cannot avoid to be able to run as non-root. Edit: that said, PRs are welcome if you find a way to bind to any port and run as non-root |
Okay, I see there is no way to run without NET_BIND_SERVICE for low ports. |
@TheKangaroo what's the behavior if you remove NET_BIND_SERVICE cap and use a higher port? |
@aledbf actually that's what I did yesterday.
It works just fine, but I haven't try what will happen if I use TCP/UDP feature yet. |
- Tolerate running as a fixed high UID: `chmod` whatever is needed; don't attempt to bind(2) on lower ports - Remove all capabilities, which cause EPERM (and that the author of the nginx controller won't fix; see kubernetes/ingress-nginx#3668) - Set explicit resource limits on all containers - Reset both image's names and version counters
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG
NGINX Ingress controller version:
0.20.0-0.22.0
Kubernetes version (use
kubectl version
):1.11.5
Environment:
uname -a
): 4.14.48-coreos-r2What happened:
I try to update our nginx-ingress from 0.19.0 to 0.2x.0, but see
/nginx-ingress-controller: Operation not permitted
I disallow all capabilities via PSP. this worked fine for 0.19.0 with
I though we only need NET_BIND_SERVICE cap and allow-privilege-escalation for the port binding to 80 and 443
This was in the release notes for 0.16.x so I wonder how this worked with 0.19.0 but doesn't work with more recent versions
What you expected to happen:
nginx-ingress still working without NET_BIND_SERVICE cap, allow privilege escalation if I configure it to listen on high ports, as it worked in 0.19.0
How to reproduce it (as minimally and precisely as possible):
Disalow privilege escalation and require to drop all capabilities.
Then run ingress-nginx with ports set to 8080 and 6443.
The text was updated successfully, but these errors were encountered: