-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running as a non root user #28
Conversation
This change does not work with the default ports:
|
Hi @constanca-m You should be able to set the environment variables Your change SHOULD work if we change the listen addresses, can you explain why it doesn't work? |
Hi @thrawn01,
This is correct. I attached to the description an example that works.
It would only not work when not setting So if this PR was merged - we set a non root user for gubernator with it - , the defaults settings for users would no longer work and we would be seeing the error in #28 (comment). So the workaround would be:
Edit: I found this very nice article that explains the problem well. I have tried with the default ports
securityContext:
runAsNonRoot: true
sysctls:
- name: net.ipv4.ping_group_range
value: "0 2147483647" It still did not work:
securityContext:
runAsNonRoot: true
capabilities:
add:
- NET_BIND_SERVICE It also did not work: |
I got it to work by adding: securityContext:
runAsNonRoot: true
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "80" I found this article Trouble Binding Ports After Switching to Containerd? that explained the problem better for containerd and contains a bit of history on privilege ports and docker. |
Thank you for explaining! Yes, I agree we should change the default which will allow Gubernator to run in a non privileged container. I'm thinking we should change it to Do you want to make this change, or should I? |
I have tried to update the defaults in all files. I think this workaround is best in the long term. Could you double check the changes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks for making this change!
Issue: #27
This adds a non root user to the Dockerfile that by default assumes the root user.
You can test it works locally like this:
Use this K8s manifest.
Use this script.
The curl should work and output: