Reputation: 33083
Why is cap_net_bind_service not working in this nginx nested Docker container?
The nginx ingress controller for Kubernetes uses the cap_net_bind_service capability, which is a Linux filesystem attribute, to obtain the permissions to open a privileged port (port 80). However, I have a kind test which creates a local Kubernetes cluster using docker containers as virtual nodes (docker inside docker) and starts up an nginx ingress controller pod. This controller pod works fine in Docker Desktop on Windows 10, but when I run the same test on Linux, the controller pod repeatedly crashes on startup, with:
[17:27:34]nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
Yet the required capability exists in the nested Docker container:
$ allpods=$(kubectl get pods)
$ ingresspod=$(echo "$allpods"|grep '^nginx-ingress-controller'|head -n1)
$ kubectl exec "${ingresspod%% *}" -- getcap -v /usr/local/nginx/sbin/nginx
/usr/local/nginx/sbin/nginx = cap_net_bind_service+ep
SELinux is enabled but in permissive mode on the Linux host.
Upvotes: 0
Views: 3356
Answers (1)
Reputation: 33083
This turned out to be because on the Linux host, dockerd was being run with the --no-new-privileges option.
Upvotes: 3
Related Questions
- Handle exposing ports on kubernetese in bare metal
- Dockerfile doesn't seem to be exposing ports
- Kubernetes - NodePort service can be accessed only on node where pod is deployed
- Can't access a pod from another pod using NodePort service
- Kubernetes services are not accessible through nodeport with Desktop Docker setup
- Unable to run nginx container as non-root
- Kubernetes Networkpolicy does not work as expected
- cannot expose port using kubernetes service
- Kubernetes pod can't access its own service
- Docker container cannot access network