New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unprivileged images for Kubernetes #7
Comments
I figured most official docker images supported using |
Docker options have nothing to do with it. Introducing my issue, I wrote:
This has nothing to do with Docker or OCI runtimes specifics. When I run some Nginx ingress controller, as unprivileged: I can bind to privileged ports (below 1024). The traefik container image doesn't allow for this. Although that's something we could do with Worteks@25acba8 On the other hand, forcing that changes onto users that run Traefik unprivileged could be problematic. Then again, the current Dockerfile doesn't set any USER: default would then be to run as root. The traefik-helm-chart could implement the specifics of such a breaking change, while we might document it for any other kind of deployment, ... IDK. That's up for debate. Hence this post. |
This seems to explain how to do it and also justifies adding it to the official image: https://community.traefik.io/t/traefik-as-non-root-should-be-default/16573/2 |
As discussed in traefik/traefik-helm-chart#336 (comment)
Currently, it is not possible to start traefik, running as an unprivileged user, yet binding on privileged ports.
This could be done, with something like the following:
Worteks@25acba8
Though as stated in the commit message, it could have implications on existing unprivileged deployments.
Looking at how Nginx does this: their default image doesn't have that capability enabled.
The Nginx ingress controller uses another image, that does set it:
https://github.com/nginxinc/kubernetes-ingress/blob/master/build/DockerfileForAlpine#L14
Not sure that's relevant for Traefik.
At least, we would have to ensure helm charts would be updated accordingly - and any potential doc or template deploying Traefik to run as an unprivileged user. Considering the image starts as root by default: those are edge cases. But helm defaults are concerned, PodSecurityPolicy would need patching.
Now, maybe that's not necessary, nor wanted. Traefik perfectly runs as unprivileged, when binding on ports above 1024. As long as we can map host port to a different container port, this would allow to expose Traefik on ports 80/443, using Kubernetes hostNetwork - which is the most common way to expose ingresses, on bare metal. Which should be doable, assuming I can get approval for my PR:
https://github.com/traefik/traefik-helm-chart/pull/337/files
The text was updated successfully, but these errors were encountered: