Failed to create listener: bind: permission denied #782
Comments
|
There was some discussion of this same issue on #725 after it was closed. |
|
@serathius could you please take a look? |
|
Even with permissive PSP the container files to bind the port, changing the container port,LP & RP to 4443 , gets the pod up but it doesnt return metrics.Please help to resolve this issue, we will revert back to older version till this issue is fixed. PSP setting:- spec:
|
|
@yangjunmyfm192085 @dgrisonnet @maxbrunet @serathius @ikarldasan could you please take a look? |
|
I'm interested as to why it's desirable to use port |
|
@pierluigilenoci @hetpats , I think you can do the following check first.
|
|
@stevehipwell it doesn't really make sense to me to use a port < 1024 for multiple reasons. It just creates complications with no real benefit. @yangjunmyfm192085 I installed the software with this chart #670 and CAP_NET_BIND_SERVICE is not configured if I have seen correctly. @stevehipwell could you please confirm? |
|
@pierluigilenoci if you want to use a port lower than 1024 you need to setup the security context in the chart to support this. |
|
@stevehipwell I absolutely don't want to do it, the metrics-server maintainers want that #730. 😄 |
|
@yangjunmyfm192085 obviously I didn't mention the fact that the problem occurs using the official manifest https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.5.0/components.yaml because it was in the issue text itself. |
|
@pierluigilenoci I've just looked at the official manifest and as far as I can tell it's not going to work as the capabilities haven't been set in the security context. Have you tried the following security context? securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE@hetpats it's not the PSP, could you try the security context above? |
|
@yangjunmyfm192085 the Docker image is set to run as user |
|
Hi @stevehipwell,
|
|
@pierluigilenoci What kind of runtime you are using? |
|
@yangjunmyfm192085 I know the user can be overridden by |
|
@stevehipwell, I think |
|
@stevehipwell I didn't do it because I wasn't interested in finding a workaround but that it was fixed at the source. So I have not made any attempt with the @yangjunmyfm192085 I did not understand in detail what you are asking but I used the manifest without any changes. The details of the environment are specified in the issue text. What other detail are you interested in? |
|
I use the @stevehipwell chart to install the metrics-server and I was able to install it properly after this chart release stevehipwell/helm-charts@9eca9cc#diff-075666af5967de738291733584934578239841b3eaf0caf7965207aba168ed75 |
|
@yangjunmyfm192085 after looking through #725 I can see that My personal suggestion of what's missing in the official manifest is below. securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
capabilities:
drop:
- all
add:
- NET_BIND_SERVICE@serathius could you take a look at this thread and offer your thoughts? |
Yeah, I think this chart use the container port 4443 here, so you can install it properly @stevehipwell . |
|
@yangjunmyfm192085 I use container port |
any way, you solved @pierluigilenoci's issue, thanks. |
|
@yangjunmyfm192085 I assume that anyone running the official manifests would be getting this issue and I'm saying that it will work if the security context is updated or if the port is made >1024. |
I run the official manifests locally and it’s normal, So I want to know if it will work if the security context is updated in pierluigilenoci's scene |
|
Main motivation for using port 443 is backward compatibility with https://github.com/kubernetes/kubernetes/blob/2a88664eccdf02cd01777b48171873a028117737/cluster/addons/metrics-server/metrics-server-deployment.yaml#L61 In v0.4.0 stopped using root user in the image, which broke K8s e2e tests. We could not change the port as 443 as this would be a breaking change for firewall rules in common K8s setups (discussion kubernetes/kubernetes#103713 (comment) ). To mitigate it @x13 proposed to add capability on binary to allow binding priviliged ports even for non-root users. This unfortunately impacted also other users, as even though they don't bind privileged port, by giving binary this capability it will always require this to run. As solution I think we should start working on migrating K8s e2e test components out of privileged port. I'm for that, but we need to convince some people. I would start with @liggitt |
|
@yangjunmyfm192085 I don't understand how the official manifest can work for you.
|
use kind or my local machine both ok. |
|
@serathius I'm not sure why switching the deployment container port to Based on everything said here the release manifests seem to be incorrect and need the capability adding, would you agree @serathius? Also if the capability is always required to run the binary I'm not sure how my chart is currently working as that doesn't have the capability set which makes me think that either Docker isn't copying across the extended attributes or this isn't the case? @yangjunmyfm192085 I've seen it work in Kind too, I think this is because containers are run as privileged due to it being DinD; this caused the first v0.5.0 version of my chart to break as the CI passed. By local what do you mean? |
I would like to point out that for some time Azure AKS has switched to |
@pierluigilenoci that's probably not relevant here as the DinD bit here is to explain why it works on a local machine, but EKS are making the same transition and it's worth knowing. |
I mean, kubernetes runs on my local machine |
@pierluigilenoci Tried running it with above SecurityContext and it still fails. |
Tried it with securitycontext suggested by @pierluigilenoci at it still wouldnt bind to 443 |
Tried this too and still couldnt bind to 443 |
|
I've just been looking at something completely un-related and have noticed that if you're running with |
|
Can't wait for the new versions to be released! ❤️ |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
@pierluigilenoci I think this should be able to be closed now? |
|
@stevehipwell yep! |
What happened:
I tried to install metrics-server on an AWS EKS cluster with the official manifest
The pod goes into CrashLoopBack with this error:
Error: failed to create listener: failed to listen on 0.0.0.0:443: listen tcp 0.0.0.0:443: bind: permission denied Usage: [flags] Flags: --add_dir_header If true, adds the file directory to the header of the log messages --alsologtostderr log to standard error as well as files --authentication-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create tokenreviews.authentication.k8s.io. --authentication-skip-lookup If false, the authentication-kubeconfig will be used to lookup missing authentication configuration from the cluster. --authentication-token-webhook-cache-ttl duration The duration to cache responses from the webhook token authenticator. (default 10s) --authentication-tolerate-lookup-failure If true, failures to look up missing authentication configuration from the cluster are not considered fatal. Note that this can result in authentication that treats all requests as anonymous. --authorization-always-allow-paths strings A list of HTTP paths to skip during authorization, i.e. these are authorized without contacting the 'core' kubernetes server. --authorization-kubeconfig string kubeconfig file pointing at the 'core' kubernetes server with enough rights to create subjectaccessreviews.authorization.k8s.io. --authorization-webhook-cache-authorized-ttl duration The duration to cache 'authorized' responses from the webhook authorizer. (default 10s) --authorization-webhook-cache-unauthorized-ttl duration The duration to cache 'unauthorized' responses from the webhook authorizer. (default 10s) --bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank or an unspecified address (0.0.0.0 or ::), all interfaces will be used. (default 0.0.0.0) --cert-dir string The directory where the TLS certs are located. If --tls-cert-file and --tls-private-key-file are provided, this flag will be ignored. (default "apiserver.local.config/certificates") --client-ca-file string If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. --contention-profiling Enable lock contention profiling, if profiling is enabled -h, --help help for this command --http2-max-streams-per-connection int The limit that the server gives to clients for the maximum number of streams in an HTTP/2 connection. Zero means to use golang's default. --kubeconfig string The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config) --kubelet-certificate-authority string Path to the CA to use to validate the Kubelet's serving certificates. --kubelet-client-certificate string Path to a client cert file for TLS. --kubelet-client-key string Path to a client key file for TLS. --kubelet-insecure-tls Do not verify CA of serving certificates presented by Kubelets. For testing purposes only. --kubelet-port int The port to use to connect to Kubelets. (default 10250) --kubelet-preferred-address-types strings The priority of node address types to use when determining which address to use to connect to a particular node (default [Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP]) --kubelet-use-node-status-port Use the port in the node status. Takes precedence over --kubelet-port flag. --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s) --log_backtrace_at traceLocation when logging hits line file:N, emit a stack trace (default :0) --log_dir string If non-empty, write log files in this directory --log_file string If non-empty, use this log file --log_file_max_size uint Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800) --logtostderr log to standard error instead of files (default true) --metric-resolution duration The resolution at which metrics-server will retain metrics. (default 1m0s) --permit-port-sharing If true, SO_REUSEPORT will be used when binding the port, which allows more than one instance to bind on the same address and port. [default=false] --profiling Enable profiling via web interface host:port/debug/pprof/ (default true) --requestheader-allowed-names strings List of client certificate common names to allow to provide usernames in headers specified by --requestheader-username-headers. If empty, any client certificate validated by the authorities in --requestheader-client-ca-file is allowed. --requestheader-client-ca-file string Root certificate bundle to use to verify client certificates on incoming requests before trusting usernames in headers specified by --requestheader-username-headers. WARNING: generally do not depend on authorization being already done for incoming requests. --requestheader-extra-headers-prefix strings List of request header prefixes to inspect. X-Remote-Extra- is suggested. (default [x-remote-extra-]) --requestheader-group-headers strings List of request headers to inspect for groups. X-Remote-Group is suggested. (default [x-remote-group]) --requestheader-username-headers strings List of request headers to inspect for usernames. X-Remote-User is common. (default [x-remote-user]) --secure-port int The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. (default 443) --skip_headers If true, avoid header prefixes in the log messages --skip_log_headers If true, avoid headers when opening log files --stderrthreshold severity logs at or above this threshold go to stderr (default 2) --tls-cert-file string File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir. --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA. --tls-min-version string Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13 --tls-private-key-file string File containing the default x509 private key matching --tls-cert-file. --tls-sni-cert-key namedCertKey A pair of x509 certificate and private key file paths, optionally suffixed with a list of domain patterns which are fully qualified domain names, possibly with prefixed wildcard segments. The domain patterns also allow IP addresses, but IPs should only be used if the apiserver has visibility to the IP address requested by a client. If no domain patterns are provided, the names of the certificate are extracted. Non-wildcard matches trump over wildcard matches, explicit domain patterns trump over extracted names. For multiple key/certificate pairs, use the --tls-sni-cert-key multiple times. Examples: "example.crt,example.key" or "foo.crt,foo.key:*.foo.com,foo.com". (default []) -v, --v Level number for the log level verbosity --version Show version --vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging panic: failed to create listener: failed to listen on 0.0.0.0:443: listen tcp 0.0.0.0:443: bind: permission denied goroutine 1 [running]: main.main() /go/src/sigs.k8s.io/metrics-server/cmd/metrics-server/metrics-server.go:39 +0xfcThe only changes between versions 0.4.4 and version 0.5.0 of the manifest are the container port (from
4443to443).@stevehipwell also had the same problem, again on EKS.
Ref: #670 (comment)
What you expected to happen:
The pod starts without problems.
Anything else we need to know?:
Environment:
Kubernetes distribution: AWS EKS
Container Network Setup (flannel, calico, etc.): AWS Calico
Kubernetes version (use
kubectl version): Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-eks-6b7464", GitCommit:"6b746440c04cb81db4426842b4ae65c3f7035e53", GitTreeState:"clean", BuildDate:"2021-03-19T19:33:03Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}Metrics Server manifest
https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.5.0/components.yaml
/kind bug
The text was updated successfully, but these errors were encountered: