Release image without capabilities set

[zc-devs]

I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.

I deploy Blocky on high port:

    ports:
      dns: 1053
      http: 4000

with container settings below:

      containers:
        - name: blocky
          image: ghcr.io/0xerr0r/blocky:v0.23
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - name: dns-tcp
              containerPort: 1053
            - name: dns-udp
              containerPort: 1053
              protocol: UDP
            - name: http
              containerPort: 4000

Currently, Blocky cannot run in Restricted profile. I get log line

exec /app/blocky: operation not permitted

and container gets restarted.

If I comment out capabilities: drop: - ALL, then container runs.

While working on #1460, I built custom image without setcap 'cap_net_bind_service=+ep', commenting out BIN_AUTOCAB=1. This image runs well in fully restricted PSS profile.

Besides, I want to mention #1353.

That being said, it would be great to have an image without capabilities. It could be separate version like v0.23-unprivileged.

[SISheogorath]

You can run blocky with PSS restrict. PSS restricted allows to add NET_BIND_SERVICE.

This is how I run blocky in a Namespace with PSS restricted version v1.26: https://git.shivering-isles.com/shivering-isles/infrastructure-gitops/-/blob/37b991bc0f7f4955773bce1df3ef5a0b6ce6cd0f/apps/k8s01/dns/dns.yaml

[zc-devs]

It requires to drop all capabilities, except NET_BIND_SERVICE

I supposed, that config below should work

          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE

However, the point is I do not need privileged ports and want to run without NET_BIND_SERVICE capability. But as this capability is set on executable, I have to add NET_BIND_SERVICE in K8s or rebuild image. The propose is to have an image without capabilities set on executable (tagged like v0.23-unprivileged).

Perhaps, I should have renamed the issue...

[zc-devs]

ghcr.io/0xerr0r/blocky:v0.24

While I confirm, that configuration below works in my cluster

apiVersion: apps/v1
kind: Deployment
metadata:
  name: blocky
spec:
...
      containers:
        - name: blocky
          image: ghcr.io/0xerr0r/blocky:v0.24
          ports:
            - name: dns-udp
              containerPort: 1053
              protocol: UDP
            - name: dns-tcp
              containerPort: 1053
              protocol: TCP
            - name: http
              containerPort: 4000
              protocol: TCP
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
      securityContext:
        runAsUser: 100
        runAsGroup: 100
        runAsNonRoot: true
        fsGroup: 100
        fsGroupChangePolicy: OnRootMismatch
        seccompProfile:
          type: RuntimeDefault

there might be clusters (old versions?) which do not set ambient capabilities and this configuration/workaround won't work.

Linux Capabilities in OpenShift Running a container with runAsNonRoot and add capabilities

That said, the dedicated unprivileged image is still preferable solution, I think.

Edit: seems, add NET_BIND_SERVICE works because it was set up on file.

[github-actions[bot]]

This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.