You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.
Currently, Blocky cannot run in Restricted profile. I get log line
exec /app/blocky: operation not permitted
and container gets restarted.
If I comment out capabilities: drop: - ALL, then container runs.
While working on #1460, I built custom image without setcap 'cap_net_bind_service=+ep', commenting out BIN_AUTOCAB=1. This image runs well in fully restricted PSS profile.
I deploy Blocky in Kubernetes and always try to comply with Restricted profile of Pod Security Standard. It requires to drop all capabilities, except NET_BIND_SERVICE.
I deploy Blocky on high port:
with container settings below:
Currently, Blocky cannot run in Restricted profile. I get log line
and container gets restarted.
If I comment out
capabilities: drop: - ALL
, then container runs.While working on #1460, I built custom image without
setcap 'cap_net_bind_service=+ep'
, commenting outBIN_AUTOCAB=1
. This image runs well in fully restricted PSS profile.Besides, I want to mention #1353.
That being said, it would be great to have an image without capabilities. It could be separate version like
v0.23-unprivileged
.The text was updated successfully, but these errors were encountered: