add sysctl net.ipv4.ip_unprivileged_port_start 53 #171
Conversation
Signed-off-by: Paco Xu <paco.xu@daocloud.io>
|
/assign @chrisohaver |
|
@pacoxu thanks for the PR. Can you explain why should this be in the default values? We already expose this so individuals can override the setting using helm's Seems like this change is for a specific use case, which can be handled without any changes, and I'm not sure this should be globally set as the default |
|
BTW, this needs kernel 4.11+ Or coredns pod will fail with below error:
For more context, see kubernetes/kubernetes#105309 (comment). |
|
/hold |
|
BTW, this should already be covered with https://github.com/coredns/helm/blob/master/charts/coredns/values.yaml#L94C1-L97C25 |
| podSecurityContext: | ||
| sysctls: | ||
| - name: net.ipv4.ip_unprivileged_port_start | ||
| value: "53" |
There was a problem hiding this comment.
This should already be covered by https://github.com/coredns/helm/blob/master/charts/coredns/values.yaml#L94C1-L97C25
There was a problem hiding this comment.
This is an alter way and with the new sysctl, we can remove the NET_BIND_SERVICE capability.
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
There was a problem hiding this comment.
Since we already have a solution in place for this, I don't think we should make any changes, this works as intended and there's no real value in replacing the capabilities with the sysctls
|
Closing this, this is already covered by using the |
ref coredns/deployment#298
kubernetes/kubernetes#103326 marked it as safe sysctl since Kubernetes v1.22.
Kernel 4.11 add this: torvalds/linux@4548b68 which is per namespaced.
xref coredns/coredns#6716 and kubernetes/kubernetes#125226.