-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide binaries without CAP_NET_BIND_SERVICE #10002
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@jkroepke sounds good :D Do you think you can take a look/try implementing this on the Makefiles? Can be an env that doesn't sets the capabilities, and we can test if we cna run without it |
Whats the end result? 2 docker images? or 1 docker images contains both both binaries? Or removing setcap by default with an breaking change? |
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
It seems that if you configure As per capabilities(7)
execve(2) obviously mentioning the |
This has not been worked on for a long time and now the project is in shortage of resources bad enough to deprecate features due to lack of developer time. So there is hardly any chance that this will get worked on. Focus is to use whatever resources for security & Gateway-API. If some developer commits in future to this, then we can re-open this. But I am closing this now as this is adding to the tally of open issues without tracking any action item on the project. /close |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
I would like to request the deprecate/drop setting capabilities OR provide a copy of the binaries inside that image without the capability.
ingress-nginx/rootfs/Dockerfile
Lines 70 to 75 in 9398c7e
The goal here is to get one step closer for support #9212. At the moment, its not possible to run the container with
I would like to run ingress-nginx on port 8080, 8443 which does not require. However, since the binaries having the cap, they are not allowed to executed in that environment.
In general, setcap is not required anymore. Since Kubernetes 1.22 it's possible to define the sysctl
net.ipv4.ip_unprivileged_port_start
through securityContext.The text was updated successfully, but these errors were encountered: