Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
4.12.0
-
None
-
Moderate
-
3
-
Sprint 234
-
1
-
No
-
Rejected
-
False
-
Description
Description of problem:
The DNS egress router must run as privileged. With it being just an haproxy, it doesn't make much sense.
If I am not wrong, the biggest reason to need privileged is because of {{chroot}} option inherited from default file (https://github.com/openshift/images/blob/master/egress/dns-proxy/egress-dns-proxy.sh#L44). That option doesn't make much sense when we are already inside a container (hence why ingress controllers don't use it, for example).
So it may be worth exploring if this option can be removed and the DNS egress router can be run without requiring privileged mode, but maybe just CAP_NET_BIND_SERVICE
Version-Release number of selected component (if applicable):
4.12.0
How reproducible:
Always
Steps to Reproduce:
1. Forget to set privileged mode in the container 2. 3.
Actual results:
Pod cannot start due to chroot setting. I need to run the container as privileged, which lowers security too much.
Expected results:
Run the container without being privileged, maybe adding CAP_NET_BIND_SERVICE.
Additional info:
