MAJOR: Add CAP_NET_BIND to haproxy binary and remove privileged sysctl

dkorunic · dkorunic · commit e0a936e85936 · 2022-04-27T09:52:03.000Z
Adding CAP_NET_BIND will allow us to remove privileged container for
net.ipv4.ip_unprivileged_port_start sysctl in Helm Chart for rootless
container setups and also support GKE Autopilot. This will however cause
container to stop working on some older hosts due to CONFIG_AUFS_XATTR
not being enabled.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -47,10 +47,11 @@ ENV S6_READ_ONLY_ROOT=1
 COPY /fs /
 COPY --from=builder /src/fs/haproxy-ingress-controller .
 
-RUN apk --no-cache add socat openssl util-linux htop tzdata curl && \
+RUN apk --no-cache add socat openssl util-linux htop tzdata curl libcap && \
     rm -f /usr/local/bin/dataplaneapi /usr/bin/dataplaneapi && \
     chgrp -R haproxy /usr/local/etc/haproxy /run /var && \
     chmod -R ug+rwx /usr/local/etc/haproxy /run /var && \
+    setcap 'cap_net_bind_service=+ep' /usr/local/sbin/haproxy && \
     case "${TARGETPLATFORM}" in \
         "linux/arm64")      S6_ARCH=aarch64     ;; \
         "linux/amd64")      S6_ARCH=amd64       ;; \
@@ -67,6 +68,7 @@ RUN apk --no-cache add socat openssl util-linux htop tzdata curl && \
     mkdir /var/run/s6 && \
     chown haproxy:haproxy /var/run/s6 && \
     chmod ug+rwx /var/run/s6 && \
-    sed -i 's/ root / haproxy /g' /etc/s6/init/init-stage2-fixattrs.txt
+    sed -i 's/ root / haproxy /g' /etc/s6/init/init-stage2-fixattrs.txt && \
+    chmod ugo+x /etc/services.d/*/run /etc/cont-init.d/*
 
 ENTRYPOINT ["/start.sh"]
diff --git a/deploy/haproxy-ingress-daemonset.yaml b/deploy/haproxy-ingress-daemonset.yaml
@@ -203,15 +203,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-      initContainers:
-        - name: sysctl
-          image: busybox:musl
-          command:
-            - /bin/sh
-            - -c
-            - sysctl -w net.ipv4.ip_unprivileged_port_start=0
-          securityContext:
-            privileged: true
 ---
 apiVersion: v1
 kind: Service
diff --git a/deploy/haproxy-ingress.yaml b/deploy/haproxy-ingress.yaml
@@ -201,15 +201,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-      initContainers:
-        - name: sysctl
-          image: busybox:musl
-          command:
-            - /bin/sh
-            - -c
-            - sysctl -w net.ipv4.ip_unprivileged_port_start=0
-          securityContext:
-            privileged: true
 ---
 apiVersion: v1
 kind: Service
diff --git a/deploy/tests/config/4.ingress-controller.yaml b/deploy/tests/config/4.ingress-controller.yaml
@@ -61,15 +61,6 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-     initContainers:
-       - name: sysctl
-         image: busybox:musl
-         command:
-           - /bin/sh
-           - -c
-           - sysctl -w net.ipv4.ip_unprivileged_port_start=0
-         securityContext:
-           privileged: true
 ---
 apiVersion: v1
 kind: Service
