Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Enable unprivileged ports sysctl in containerd config #1099

Merged
merged 1 commit into from
Jun 4, 2024
Merged

fix: Enable unprivileged ports sysctl in containerd config #1099

merged 1 commit into from
Jun 4, 2024

Conversation

dkoshkin
Copy link
Contributor

@dkoshkin dkoshkin commented Jun 4, 2024

What problem does this PR solve?:
Spotted this issue again when testing vSphere install/upgrade with Kubernetes v1.29.5.

Similar to nutanix-cloud-native/cluster-api-runtime-extensions-nutanix#645, but solving it here to handle the more generic case of so it can be picked up during upgrades without needing to add complicated preKubeadmCommands update logic in Konvoy2.

This enabled pods to run as non-root and bind to privileged ports as long as they have the necessary capability, CAP_NET_BIND_SERVICE added.

This fixes an issue on AWS when bringing up coredns which binds to port 53 but runs as an unprivileged user.

Overall this is a net security improvement for clusters, meaning users can stop giving too many privileged to pods - see
kubernetes/kubernetes#102612 for discussion.

Which issue(s) does this PR fix?:

Special notes for your reviewer:

Ran the konvoy2 e2e test https://github.com/mesosphere/konvoy2/actions/runs/9370800641

Does this PR introduce a user-facing change?:

@dkoshkin dkoshkin requested review from dlipovetsky and faiq June 4, 2024 18:21
@dkoshkin
fix: Enable unprivileged ports sysctl in containerd config
9db9143 
This enabled pods to run as non-root and bind to privileged ports
as long as they have the necessary capability, `CAP_NET_BIND_SERVICE`
added.

This fixes an issue on AWS when bringing up coredns which binds to port
53 but runs as an unprivileged user.

Overall this is a net security improvement for clusters, meaning users
can stop giving too many privileged to pods - see
kubernetes/kubernetes#102612 for discussion.
@dkoshkin dkoshkin force-pushed the dkoshkin/fix-containerd-and-privileged-ports branch from d610c5e to 9db9143 Compare June 4, 2024 18:22
@dkoshkin dkoshkin changed the title feat: Enable unprivileged ports sysctl in containerd config fix: Enable unprivileged ports sysctl in containerd config Jun 4, 2024
@github-actions github-actions bot added fix and removed feature labels Jun 4, 2024
@dkoshkin
Copy link
Contributor Author

dkoshkin commented Jun 4, 2024

Ran the vSphere build https://github.com/mesosphere/konvoy-image-builder/actions/runs/9370058290

@faiq faiq merged commit 2d8b0d1 into main Jun 4, 2024
11 checks passed
@faiq faiq deleted the dkoshkin/fix-containerd-and-privileged-ports branch June 4, 2024 18:32
@mesosphere-ci mesosphere-ci mentioned this pull request Jun 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faiq faiq faiq approved these changes

@dlipovetsky dlipovetsky Awaiting requested review from dlipovetsky

Assignees
No one assigned
Labels
fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dkoshkin @faiq