Setting the NET_BIND_SERVICE capability in the container security context.
Setting the net.ipv4.ip_unprivileged_port_start sysctl in the pod security context.
Unfortunately, none of the above is working, possibly because the image was meant to be run using an unprivileged user at all times.
So I was thinking we could avoid the problem altogether by using the k8s service as designed and let it forward the traffic from privileged (node level) to unprivileged (container level). The only caveat is that to do so we'll need to disable host networking.
This is the bit I will need some guidance on because I don't have a full understanding of other potential side effects of doing so (e.g. DNS policy?).
Summary
PR proposes a possible solution to the issue we are facing when trying to have
rtcdlisten on a privileged port (lower than 1024).So far we've tested a couple of workarounds (full context at https://hub.mattermost.com/private-core/pl/5ubornsmpfnkuyxnmyixgfpich):
NET_BIND_SERVICEcapability in the container security context.net.ipv4.ip_unprivileged_port_startsysctl in the pod security context.Unfortunately, none of the above is working, possibly because the image was meant to be run using an unprivileged user at all times.
So I was thinking we could avoid the problem altogether by using the k8s service as designed and let it forward the traffic from privileged (node level) to unprivileged (container level). The only caveat is that to do so we'll need to disable host networking.
This is the bit I will need some guidance on because I don't have a full understanding of other potential side effects of doing so (e.g. DNS policy?).
Ticket Link
https://mattermost.atlassian.net/browse/CLD-7443