Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for privileged ports usage without root user #31

Closed
wants to merge 1 commit into from
Closed

feat: add support for privileged ports usage without root user #31

wants to merge 1 commit into from

Conversation

mloiseleur
Copy link
Contributor

@mloiseleur mloiseleur commented Oct 6, 2022
edited by kevinpollet

When user wants to run traefik docker image without being root, he cannot listen on ports < 1024 by default. The binary needs a special capability in order for him to do so.

This PR add this capability to traefik binary, since Traefik is expected to listen on ports like 443 or 80.

UPDATE: It seems recent version of Docker removes the needs of this capability cf this commit.

Supersedes #18
Fixes #7

Additional Informations

Co-authored-by: Samuel MARTIN MORO faust64@gmail.com
Co-authored-by: Mandus Momberg git@momberg.me

@mloiseleur mloiseleur changed the title feat: add support for privileged ports usage without root user ✨ add support for privileged ports usage without root user Oct 6, 2022
@mloiseleur mloiseleur changed the title ✨ add support for privileged ports usage without root user ✨ Add support for privileged ports usage without root user Oct 6, 2022
@ldez ldez changed the title ✨ Add support for privileged ports usage without root user feat: add support for privileged ports usage without root user Oct 6, 2022
@ldez ldez added kind/enhancement a new or improved feature. status/2-needs-review labels Oct 6, 2022
@kevinpollet kevinpollet mentioned this pull request Oct 7, 2022
Closed
mpl
mpl previously approved these changes Oct 7, 2022
View reviewed changes
@mpl mpl dismissed their stale review October 7, 2022 09:19

additional concerns

@mpl
Copy link
Collaborator

mpl commented Oct 7, 2022

@mloiseleur what's the difference between doing a setcap directly on the binary, and running the container with --cap-add=NET_BIND_SERVICE ?
why is it better to go the setcap way?

@mloiseleur
Copy link
Contributor Author

@mpl That's correct. It's clearly better to provide it with the securityContext or docker CLI.

I'll close this PR then.

@mloiseleur mloiseleur closed this Oct 7, 2022
@mloiseleur mloiseleur deleted the feat/cap_net_bind_service branch October 7, 2022 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpl mpl mpl left review comments

Assignees
No one assigned
Labels
kind/enhancement a new or improved feature. resolution/declined
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

unprivileged images for Kubernetes
3 participants
@mloiseleur @mpl @ldez