K8s: cannot run in Restricted PSS profile

[zc-devs]

I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.

I deploy Blocky on high port:

    ports:
      dns: 1053
      http: 4000

with container settings below:

      containers:
        - name: blocky
          image: ghcr.io/0xerr0r/blocky:v0.23
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop:
                - ALL
          ports:
            - name: dns-tcp
              containerPort: 1053
            - name: dns-udp
              containerPort: 1053
              protocol: UDP
            - name: http
              containerPort: 4000

Currently, Blocky cannot run in Restricted profile. I get log line

exec /app/blocky: operation not permitted

and container gets restarted.

If I comment out capabilities: drop: - ALL, then container runs.

While working on #1460, I built custom image without setcap 'cap_net_bind_service=+ep', commenting out BIN_AUTOCAB=1. This image runs well in fully restricted PSS profile.

Besides, I want to mention #1353.

That being said, it would be great to have an image without capabilities. It could be separate version like v0.23-unprivileged.