-
Notifications
You must be signed in to change notification settings - Fork 460
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-dns cannot run as non-root user #190
Comments
I would love for it to run as non-root. cap_net_bind_service might allow
us to not muck with ports, too.
…On Tue, Jan 23, 2018 at 1:15 PM, Diego Pontoriero ***@***.***> wrote:
I attempted to run kube-dns as a non-root user by modifying the example
YAML files to:
- have dnsmasq serve on a high port using the --port flag
- fix the service to point at the high port
- add a non-root security context to the pod
This seems like it would be sufficient, but then I found that there are
several hard-coded assumptions in the container image that dnsmasq will run
as root:
https://github.com/kubernetes/dns/blob/master/images/
dnsmasq/Dockerfile.cross
https://github.com/kubernetes/dns/blob/master/images/dnsmasq/dnsmasq.conf
Unless there is a strong reason why dnsmasq needs to run as root, I think
it would be a better practice to run it as non-root.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#190>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVCLgS_32tnFhhzpaDwnJwiQMe2giks5tNkvpgaJpZM4RqU6I>
.
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@johnbelamaric can CoreDNS run as non-root? |
[ Quoting <notifications@github.com> in "Re: [kubernetes/dns] kube-dns canno..." ]
@johnbelamaric can CoreDNS run as non-root?
yes:
% ./coredns -dns.port=1043
.:1043
2018/04/29 20:28:15 [INFO] CoreDNS-1.1.2
2018/04/29 20:28:15 [INFO] linux/amd64, go1.10.1,
CoreDNS-1.1.2
linux/amd64, go1.10.1,
|
yep, as @miekg said |
We should give it CAP_NET_BIND and run as non-root by default, perhaps?
…On Mon, Apr 30, 2018, 5:44 PM John Belamaric ***@***.***> wrote:
yep, as @miekg <https://github.com/miekg> said
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#190 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVFvwekunK7wlGVQUQmsvrMGoL3QOks5ttzFxgaJpZM4RqU6I>
.
|
@thockin, apparently it requires setcap call on a file: moby/moby#8460 |
It’s a cluster IP anyway, why not just listen on port 5300 instead and set the targetPort?
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I attempted to run kube-dns as a non-root user by modifying the example YAML files to:
--port
flagThis seems like it would be sufficient, but then I found that there are several hard-coded assumptions in the container image that dnsmasq will run as root:
https://github.com/kubernetes/dns/blob/master/images/dnsmasq/Dockerfile.cross
https://github.com/kubernetes/dns/blob/master/images/dnsmasq/dnsmasq.conf
Unless there is a strong reason why dnsmasq needs to run as root, I think it would be a better practice to run it as non-root.
The text was updated successfully, but these errors were encountered: