-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop capabilities in Kubernetes DaemonSet example #3028
Conversation
I like where this is going, but there are a couple of issues I forsee:
@timoreimann thoughts? |
|
I think we're good on 3. Although we have never formally defined which versions of Kubernetes we want to support with Traefik, I think it makes sense to match Kubernetes' rule to provide support for the previous two releases. In that sense, 1.4 has long dropped out. Re: 2, at least the list of known limitations for Windows does not mention capabilities. Maybe it's obvious that it's not supported because they are Linux capabilities; then again, I don't know how Windows containers work under the hood. Mac doesn't support containers natively either, and yet it works because there's a virtualization layer somewhere. I know @vdemeester has approximately 42 dev machines sitting on his desk, maybe he can shed some light here. :-) Re: 1: One thing we should do before merging is test if this works as expected against minikube or even better some real cluster. @nogoegst by any chance, have you tested this configuration already? |
@timoreimann, yes I've successfully tested it on bare-metal v1.9 cluster (Ubuntu 16.04 kernel). Though I think that it should be tested by someone else because it is a works-for-me now. |
Well I'm on board, after doing some reading :) And I fully appreciate the dropping capabilities from root -> just port binding abilities. 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR!
Tested on Minikube, and it works for me.
But can you update the documentation too?
@juliens do we actually have documentation in this regard? |
@timoreimann I guess that @juliens meant that there should be some documentation for this even though it is not there at the moment. |
Gotcha. If it means adding a quick sentence to the guide, I'm good with it. |
In fact, I talk about update this part https://docs.traefik.io/user-guide/kubernetes/ |
@juliens, yes and there is no line about why |
42cf397
to
cfb6a4d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 📖
…bernetes DaemonSet example
cfb6a4d
to
c09159e
Compare
What does this PR do?
Changes example of running DaemonSet on Kubernetes.
Makes Traefik run not in privileged mode but with only capability to bind to ports < 1024.
Motivation
Reducing attack surface.
The motivation behind
privileged: true
was to have ability for Traefik to bind on privileged ports. Though there is a more fine-grained mechanism to restrict containers capabilities. This is unnecessary for the container to run in privileged mode.More
Additional Notes
Probably there was another rationale behind running in privileged. If there is it should be added explicitly to the capability list.