fix: Enable unprivileged ports sysctl in containerd config #1099
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?:
Spotted this issue again when testing vSphere install/upgrade with Kubernetes v1.29.5.
Similar to nutanix-cloud-native/cluster-api-runtime-extensions-nutanix#645, but solving it here to handle the more generic case of so it can be picked up during upgrades without needing to add complicated
preKubeadmCommands
update logic in Konvoy2.This enabled pods to run as non-root and bind to privileged ports as long as they have the necessary capability,
CAP_NET_BIND_SERVICE
added.This fixes an issue on AWS when bringing up coredns which binds to port 53 but runs as an unprivileged user.
Overall this is a net security improvement for clusters, meaning users can stop giving too many privileged to pods - see
kubernetes/kubernetes#102612 for discussion.
Which issue(s) does this PR fix?:
Special notes for your reviewer:
Ran the konvoy2 e2e test https://github.com/mesosphere/konvoy2/actions/runs/9370800641
Does this PR introduce a user-facing change?: