Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for privileged ports usage without root user #31

Closed

Conversation

mloiseleur
Copy link
Contributor

@mloiseleur mloiseleur commented Oct 6, 2022

When user wants to run traefik docker image without being root, he cannot listen on ports < 1024 by default. The binary needs a special capability in order for him to do so.

This PR add this capability to traefik binary, since Traefik is expected to listen on ports like 443 or 80.

UPDATE: It seems recent version of Docker removes the needs of this capability cf this commit.

Supersedes #18
Fixes #7

Additional Informations

Co-authored-by: Samuel MARTIN MORO faust64@gmail.com
Co-authored-by: Mandus Momberg git@momberg.me

@mloiseleur mloiseleur changed the title feat: add support for privileged ports usage without root user ✨ add support for privileged ports usage without root user Oct 6, 2022
@mloiseleur mloiseleur changed the title ✨ add support for privileged ports usage without root user ✨ Add support for privileged ports usage without root user Oct 6, 2022
@ldez ldez changed the title ✨ Add support for privileged ports usage without root user feat: add support for privileged ports usage without root user Oct 6, 2022
@ldez ldez added kind/enhancement a new or improved feature. status/2-needs-review labels Oct 6, 2022
mpl
mpl previously approved these changes Oct 7, 2022
@mpl mpl dismissed their stale review October 7, 2022 09:19

additional concerns

@mpl
Copy link
Collaborator

mpl commented Oct 7, 2022

@mloiseleur what's the difference between doing a setcap directly on the binary, and running the container with --cap-add=NET_BIND_SERVICE ?
why is it better to go the setcap way?

@mloiseleur
Copy link
Contributor Author

@mpl That's correct. It's clearly better to provide it with the securityContext or docker CLI.

I'll close this PR then.

@mloiseleur mloiseleur closed this Oct 7, 2022
@mloiseleur mloiseleur deleted the feat/cap_net_bind_service branch October 7, 2022 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement a new or improved feature. resolution/declined
Projects
None yet
Development

Successfully merging this pull request may close these issues.

unprivileged images for Kubernetes
3 participants