Fix binding to privileged ports 1 to 1023 #3038
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/XS
|
This is not fixed. Last known version that work is: |
@johan-smits can you be more specific? Please open a new issue with the details pleass |
|
@aledbf , while trying to bind port < 1023 for TLS getting below error. using aws nlb and have certs inside container in which case I assume pass-through isn't applicable. nginx: the configuration file /tmp/nginx-cfg632096686 syntax is ok Tried: upgraded image to quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.22.0 |
|
@anilraut30 I had the same issue, could you open a new issue? I did not had the time do reverse the setup back (it is running production now). Going back to the version I mentioned you can make it work. |
What this PR does / why we need it:
When SSL passthrough is enabled (flag
--enable-ssl-passthrough), the traffic on port 443 goes through the Go binary. The issue with this is that Go does not work with authbind.Also, this PR adds the mapping to all the privileged ports to allow nginx to bind any port, not only 80 and 443
Which issue this PR fixes:
fixes #2994
fixes #3037
fixes #3036
Edit: add note that --enable-ssl-passthrough requires a docker graph with support for setcap