Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release image without capabilities set #1461

Open
zc-devs opened this issue Apr 26, 2024 · 4 comments
Open

Release image without capabilities set #1461

zc-devs opened this issue Apr 26, 2024 · 4 comments
Labels
🧰 technical debts Technical debts, refactoring
Milestone

Comments

@zc-devs
Copy link
Contributor

zc-devs commented Apr 26, 2024

I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.

I deploy Blocky on high port:

    ports:
      dns: 1053
      http: 4000

with container settings below:

      containers:
        - name: blocky
          image: ghcr.io/0xerr0r/blocky:v0.23
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - name: dns-tcp
              containerPort: 1053
            - name: dns-udp
              containerPort: 1053
              protocol: UDP
            - name: http
              containerPort: 4000

Currently, Blocky cannot run in Restricted profile. I get log line

exec /app/blocky: operation not permitted

and container gets restarted.

If I comment out capabilities: drop: - ALL, then container runs.

While working on #1460, I built custom image without setcap 'cap_net_bind_service=+ep', commenting out BIN_AUTOCAB=1. This image runs well in fully restricted PSS profile.

Besides, I want to mention #1353.

That being said, it would be great to have an image without capabilities. It could be separate version like v0.23-unprivileged.

@SISheogorath
Copy link

You can run blocky with PSS restrict. PSS restricted allows to add NET_BIND_SERVICE.

This is how I run blocky in a Namespace with PSS restricted version v1.26: https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/blob/37b991bc0f7f4955773bce1df3ef5a0b6ce6cd0f/apps/k8s01/dns/dns.yaml

@zc-devs
Copy link
Contributor Author

zc-devs commented Jun 10, 2024

It requires to drop all capabilities, except NET_BIND_SERVICE

I supposed, that config below should work

          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE

However, the point is I do not need privileged ports and want to run without NET_BIND_SERVICE capability. But as this capability is set on executable, I have to add NET_BIND_SERVICE in K8s or rebuild image.
The propose is to have an image without capabilities set on executable (tagged like v0.23-unprivileged).

Perhaps, I should have renamed the issue...

@zc-devs zc-devs changed the title K8s: cannot run in Restricted PSS profile Release image without capabilities set Jun 10, 2024
@zc-devs
Copy link
Contributor Author

zc-devs commented Jul 12, 2024

ghcr.io/0xerr0r/blocky:v0.24

While I confirm, that configuration below works in my cluster

apiVersion: apps/v1
kind: Deployment
metadata:
  name: blocky
spec:
...
      containers:
        - name: blocky
          image: ghcr.io/0xerr0r/blocky:v0.24
          ports:
            - name: dns-udp
              containerPort: 1053
              protocol: UDP
            - name: dns-tcp
              containerPort: 1053
              protocol: TCP
            - name: http
              containerPort: 4000
              protocol: TCP
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
      securityContext:
        runAsUser: 100
        runAsGroup: 100
        runAsNonRoot: true
        fsGroup: 100
        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault

there might be clusters (old versions?) which do not set ambient capabilities and this configuration/workaround won't work.

Linux Capabilities in OpenShift
Running a container with runAsNonRoot and add capabilities

That said, the dedicated unprivileged image is still preferable solution, I think.

Edit: seems, add NET_BIND_SERVICE works because it was set up on file.

Copy link
Contributor

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Oct 12, 2024
@kwitsch kwitsch removed the Stale label Oct 16, 2024
@kwitsch kwitsch added this to the future milestone Oct 16, 2024
@kwitsch kwitsch added the 🧰 technical debts Technical debts, refactoring label Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🧰 technical debts Technical debts, refactoring
Projects
None yet
Development

No branches or pull requests

3 participants