Skip to content

Inherit NET_BIND_SERVICE from IC to Nginx (#3722) #3849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 4, 2023
Merged

Inherit NET_BIND_SERVICE from IC to Nginx (#3722) #3849

merged 1 commit into from
May 4, 2023

Conversation

lucacome
Copy link

@lucacome lucacome commented May 4, 2023
edited
Loading

(cherry picked from commit 5d56f71)

@sigv @lucacome
Inherit NET_BIND_SERVICE from IC to Nginx (#3722)
dcc05cb 
8be0144: Rework port binding logic without privileges
caused issues for host networking configurations. The Kubernetes
documentation states that the `net.*` sysctls can be used with
container networking, which was misinterpreted.

This commit reverts the change, bringing back NET_BIND_SERVICE to
the Nginx process, as well as reverts the libcap package removal
done in a later commit.

In order to avoid privilege escalation being re-introduced, the
IC process is also receiving NET_BIND_SERVICE, so that it can be
inherited over to Nginx.

This change aims to restore host networking as functional for the
Helm chart. A future change is recommended to harden security for
the IC process (to drop the capability after executing Nginx) as
well as Nginx itself (to drop the capability after binding).

OBS! To use a 3.1.0 image, you should manually install the `setcap`
binary and add `+ep` on `/nginx-ingress` and `+eip` on `nginx` binary.

(cherry picked from commit 5d56f71)
@lucacome lucacome self-assigned this May 4, 2023
@lucacome lucacome requested a review from a team as a code owner May 4, 2023 02:28
@github-actions github-actions bot added bug An issue reporting a potential bug helm_chart Pull requests that update the Helm Chart labels May 4, 2023
@codecov
Copy link

codecov bot commented May 4, 2023

Codecov Report

❗ No coverage uploaded for pull request base (release-3.1@69e071f). Click here to learn what that means.
The diff coverage is n/a.

@@              Coverage Diff               @@
##             release-3.1    #3849   +/-   ##
==============================================
  Coverage               ?   52.38%           
==============================================
  Files                  ?       59           
  Lines                  ?    16890           
  Branches               ?        0           
==============================================
  Hits                   ?     8848           
  Misses                 ?     7747           
  Partials               ?      295

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@lucacome lucacome merged commit 2d0558d into release-3.1 May 4, 2023
@lucacome lucacome deleted the fix/net-bind branch May 4, 2023 02:44
@ciarams87 ciarams87 mentioned this pull request May 4, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jasonwilliams14 jasonwilliams14 jasonwilliams14 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lucacome lucacome

Labels

bug An issue reporting a potential bug helm_chart Pull requests that update the Helm Chart

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lucacome @jasonwilliams14 @sigv