-
-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release image without capabilities set #1461
Comments
You can run blocky with PSS restrict. PSS restricted allows to add This is how I run blocky in a Namespace with PSS restricted version v1.26: https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/blob/37b991bc0f7f4955773bce1df3ef5a0b6ce6cd0f/apps/k8s01/dns/dns.yaml |
I supposed, that config below should work securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE However, the point is I do not need privileged ports and want to run without Perhaps, I should have renamed the issue... |
While I confirm, that configuration below works in my cluster apiVersion: apps/v1
kind: Deployment
metadata:
name: blocky
spec:
...
containers:
- name: blocky
image: ghcr.io/0xerr0r/blocky:v0.24
ports:
- name: dns-udp
containerPort: 1053
protocol: UDP
- name: dns-tcp
containerPort: 1053
protocol: TCP
- name: http
containerPort: 4000
protocol: TCP
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
securityContext:
runAsUser: 100
runAsGroup: 100
runAsNonRoot: true
fsGroup: 100
fsGroupChangePolicy: OnRootMismatch
seccompProfile:
type: RuntimeDefault there might be clusters (old versions?) which do not set Linux Capabilities in OpenShift That said, the dedicated unprivileged image is still preferable solution, I think. Edit: seems, |
This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.
I deploy Blocky on high port:
with container settings below:
Currently, Blocky cannot run in Restricted profile. I get log line
and container gets restarted.
If I comment out
capabilities: drop: - ALL
, then container runs.While working on #1460, I built custom image without
setcap 'cap_net_bind_service=+ep'
, commenting outBIN_AUTOCAB=1
. This image runs well in fully restricted PSS profile.Besides, I want to mention #1353.
That being said, it would be great to have an image without capabilities. It could be separate version like
v0.23-unprivileged
.The text was updated successfully, but these errors were encountered: