Closed Raksha-CPU closed 10 months ago
apiVersion: apps/v1
kind: Deployment
metadata:
[...]
capabilities:
add: [CAP_NET_BIND_SERVICE]
[...]
I am not 100% sure, but does it work, if you use NET_BIND_SERVICE
instead of CAP_NET_BIND_SERVICE
?
Hi,
I tried using NET_BIND_SERVICE but unfortunately, I'm still encountering the same problem.
I came across an article that mentioned AKS doesn't support binding to privileged ports for non-root users. https://learn.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#:~:text=When%20you%20run%20as%20a%20non%2Droot%20user%2C%20containers%20cannot%20bind%20to%20the%20privileged%20ports%20under%201024.%20In%20this%20scenario%2C%20Kubernetes%20Services%20can%20be%20used%20to%20disguise%20the%20fact%20that%20an%20app%20is%20running%20on%20a%20particular%20port.
It seems I need to build the Docker image with a root user instead of using the eturnal user. Could you please guide me on the necessary changes to make in order to run the image as a root user?
Here are the build instructions.
In the Dockerfile comment this line. This will run the container by default as root.
Afterwards, build the image and push it to your container image registry.
Probably in that case your deployment needs adjustments in this way as well.
apiVersion: apps/v1
kind: Deployment
metadata:
[...]
securityContext:
readOnlyRootFilesystem: true
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
privileged: false
[...]
Before building, you may try this as well: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#setting-sysctls-for-a-pod
net.ipv4.ip_unprivileged_port_start
Hello,
Great news! Adding the net.ipv4.ip_unprivileged_port_start did the trick, allowing the turnserver to function without needing root privileges. The process was straightforward to set up on both VM and AKS platforms. And most importantly, everything is working perfectly. Thank you once again for the remarkable turnserver.
Glad it works now. Thanks for the feedback. We will include this into the documentation as well.
Hello there,
I'm currently working with an eturnal server on AKS. However, I've encountered an error and I'm seeking assistance to figure out what might be the issue.
I've provided my deployment, configmap, and service files below.
Could you kindly help me understand what might be causing this problem?
I have following error and my pod doesn't start