feat(docker): non-root image binds :80/:443 via CAP_NET_BIND_SERVICE file capability#714
Conversation
…:80/:443 Customers deploying the DP with Kubernetes hostNetwork want the proxy listener directly on node port 80. The image runs as uid 10001, so the bind previously required running the container as root (or a separate root image). Set the cap_net_bind_service=+ep file capability on the binary instead: the image stays non-root and privileged ports work in plain Docker, hostNetwork pods, and under the restricted Pod Security Standard (drop ALL + add NET_BIND_SERVICE). Install + setcap happen in one bind-mount RUN so the xattr change does not duplicate the binary into a second layer (and COPY --from does not reliably carry xattrs). PR builds now load the image and smoke-test the contract: run the container on the host network with proxy.addr :80 and require /livez to answer — fails on the pre-fix image where the bind is refused.
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 7 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Customers deploying the DP on Kubernetes with
hostNetwork: truewant the proxy listener directly on node port 80. The image runs as uid 10001, so binding a privileged port previously required running the container as root (or shipping a separate root image variant).Instead, the Dockerfile now sets the
cap_net_bind_service=+epfile capability on the binary. The image stays non-root and can bind 80/443 in plain Docker, in hostNetwork pods, and under the restricted Pod Security Standard (drop: [ALL]+add: [NET_BIND_SERVICE]). Same approach as Traefik/Envoy images. No separate root image, no release-workflow changes.Implementation notes:
setcaphappen in one bind-mountRUN(noCOPY --fromfor the binary) so the xattr change doesn't duplicate the ~large binary into a second layer, and becauseCOPYdoes not reliably carrysecurity.capabilityxattrs;libcap2-binis purged again in the same layer.Behavior change / compatibility:
NET_BIND_SERVICEis in the default Docker/containerd capability set, so default deployments are unaffected. The one caveat: a pod that drops ALL capabilities without addingNET_BIND_SERVICEback now fails at exec (Operation not permitted) instead of starting — with the effective bit set, the kernel refuses to exec a binary whose file capabilities cannot be granted. Documented in the paired docs PR (api7/docs#1766).Testing:
docker-image.ymlPR builds nowloadthe image and smoke-test the contract — run the container with the default non-root user on the host network withproxy.addr: 0.0.0.0:80and require/livezto answer. The test fails on the pre-fix image (proxy serve error: Permission denied (os error 13)) and passes with this change. Also locally verified:--cap-drop ALLfails exec as documented,--cap-drop ALL --cap-add NET_BIND_SERVICEworks.🤖 Generated with Claude Code