Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Experimental] Include both privileged and non-privileged binaries in Docker image #652

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Experimental] Include both privileged and non-privileged binaries in Docker image #652

wants to merge 2 commits into from
+43 −14

Conversation

nathancoleman
Copy link
Member

@nathancoleman nathancoleman commented Oct 17, 2024
edited
Loading

Currently, the NET_BIND_SERVICE capability is added to the dataplane (and Envoy) entrypoints since we cannot know at build time whether a non-root user at runtime will attempt to bind to a privileged port. The reason this is the default behavior was to avoid a breaking change in ingress gateways, which had previously supported binding to privileged ports; however, there are still many use cases where it's preferable to avoid this capability when it isn't needed.

This change introduces a second set of entrypoints to the container that do not have the NET_BIND_SERVICE capability. In this way, we can support both use cases:

  • Ingress gateways, which have historically supported binding to privileged ports
  • All other use cases (sidecar and API, mesh, terminating gateways) which do not need to support binding to privileged ports

The container will default to the non-privileged entrypoint, and ingress gateway deployments that do want to support binding to privileged ports will need to override the entrypoint to privileged-consul-dataplane and provide a path to privileged-envoy. This way, no deployment needs the NET_BIND_SERVICE capability unless they are overriding the entrypoint in order to support binding to privileged ports.

See hashicorp/consul-k8s#4394 for an example of how this works in consul-k8s.

Warning

We still need to determine the impact – if any – of a change like this for VM and Nomad deployments of consul-dataplane

@nathancoleman
Include both privileged and non-privileged binaries in Docker image
1f32b61 
This way ingress-gateway can use the privileged entrypoint without everyone else having to add the NET_BIND_SERVICE capability when they don't need/want it
@nathancoleman nathancoleman requested a review from a team as a code owner October 17, 2024 18:04
@nathancoleman nathancoleman mentioned this pull request Oct 17, 2024
Draft
2 tasks
@nathancoleman nathancoleman marked this pull request as draft October 17, 2024 18:10
@jm96441n
Copy link
Member

this shouldn't affect nomad/VM deployments as those don't use dataplane

@zalimeni
Copy link
Member

This seems like a great idea! Excited to see it happen. Hoping/expecting the constraints around consul-dataplane are acceptable.

@jm96441n jm96441n marked this pull request as ready for review October 31, 2024 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jm96441n jm96441n jm96441n left review comments

@zalimeni zalimeni zalimeni left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nathancoleman @jm96441n @zalimeni