Remove cap_net_bind_service from image

[jacobsalway]

Purpose of this PR

• Remove setcap 'cap_net_bind_service=+ep' from the build so the container can be run with all capabilities dropped on a non-privileged port
• Looking at other open source components, it seems more common to run on a non-privileged port and require either root or NET_BIND_SERVICE to run on a privileged port e.g. 443
  • e.g. https://open-policy-agent.github.io/gatekeeper/website/docs/vendor-specific/#running-on-private-gke-cluster-nodes
• The webhook runs on port 9443 by default which doesn't require any privilege escalation

Run the operator with the following values:

controller:
  securityContext:
    capabilities:
      drop: ["ALL"]
webhook:
  securityContext:
    capabilities:
      drop: ["ALL"]

#2211

Change Category

• Bugfix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that could affect existing functionality)
• Documentation update

Checklist

Before submitting your PR, please review the following:

• I have conducted a self-review of my own code.
• I have updated documentation accordingly.
• I have added tests that prove my changes are effective or that my feature works.
• Existing unit tests pass locally with my changes.

[jacobsalway]

/hold

Holding to give time for comments. Tagging @ImpSy since you added this in your original PR #2171

[ImpSy]

Yeah I implemented a solution for allowing runAsNonRoot: true in the security context while selecting all possible ports

If we really want to drop all capabilities we can remove it (but we need to document that the container can't use ports <1024)

[ImpSy]

you can also remove lines 23-25, since we only install libcap2-bin to be able to run setcap

[jacobsalway]

Thanks, good catch I missed that

[jacobsalway]

If this changed is merged, I'll add a doc page on solutions for running on port <1024. You could either run as root, add back the NET_BIND_SERVICE capability or build your own image with this flag on the binary.

Posting some examples I found of other projects:

• OPA Gatekeeper
• metrics-server
• ingress-nginx uses this field, however I think you'd usually expect NGINX to run on port 80 or 443 as it's usually used for web traffic and not an internal webhook. Provide binaries without CAP_NET_BIND_SERVICE kubernetes/ingress-nginx#10002

[google-oss-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ChenYi015

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ChenYi015]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jacobsalway]

@ChenYi015 let's make sure we call this out specifically on whichever release changelog this ends up in. I'll write a page under https://github.com/kubeflow/website as well.

[jacobsalway]

/hold cancel

[ChenYi015]

let's make sure we call this out specifically on whichever release changelog this ends up in.

Sure, I will clarify this in the next release changelog (maybe v2.0.2).

/lgtm