Skip to content

Pass CAP_NET_BIND_SERVICE to kube-apiserver#7302

Open
vladiskuz wants to merge 1 commit intok0sproject:mainfrom
vladiskuz:cap-net-bind
Open

Pass CAP_NET_BIND_SERVICE to kube-apiserver#7302
vladiskuz wants to merge 1 commit intok0sproject:mainfrom
vladiskuz:cap-net-bind

Conversation

@vladiskuz
Copy link
Copy Markdown

@vladiskuz vladiskuz commented Mar 17, 2026

Description

When the Kubernetes API server is configured to listen on a privileged port (< 1024), k0s now automatically grants the CAP_NET_BIND_SERVICE Linux capabilibty to the kube-apiserver process. This allows the non-root process to bind to ports like 443 without requiring full root privileges.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

How Has This Been Tested?

  • Manual test
  • Auto test added

Checklist

  • My code follows the style guidelines of this project
  • My commit messages are signed-off
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

Closes #7221

twz123
twz123 reviewed Mar 18, 2026
View reviewed changes
pkg/supervisor/detachattr_unix.go Outdated
Setpgid: true,
Pgid: 0,
Credential: creds,
AmbientCaps: ambientCaps,
Copy link
Copy Markdown
Member

@twz123 twz123 Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a Linux-only API, hence I think we need to split this file into detachattr_linux.go and detachattr_unix.go with a go:build directive of unix && !linux.

Copy link
Copy Markdown
Author

@vladiskuz vladiskuz Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, good point. I fixed it

pkg/constant/constant.go Outdated

// CapNetBindService is the Linux capability to bind to privileged ports (< 1024)
// See: https://man7.org/linux/man-pages/man7/capabilities.7.html
CapNetBindService = 10
Copy link
Copy Markdown
Member

@twz123 twz123 Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's https://pkg.go.dev/golang.org/x/sys/unix#CAP_NET_BIND_SERVICE, too.

Copy link
Copy Markdown
Author

@vladiskuz vladiskuz Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, changed to https://pkg.go.dev/golang.org/x/sys/unix#CAP_NET_BIND_SERVICE

pkg/supervisor/supervisor.go Outdated
Comment on lines +45 to +46
// Ambient capabilities to pass to the process
AmbientCaps []uintptr
Copy link
Copy Markdown
Member

@twz123 twz123 Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that we need to be multi-platform here, and ambient capabilities are Linux only, what about abstracting this into sth. like a RequiredPrivileges struct à la

type RequiredPrivileges struct {
	BindsPrivilegedPorts bool
}

...that we can pass around? (As always, naming is up for debate 😅 ) That encodes the intent, which can then be translated into platform specifics (i.e. adding ambient capabilities on Linux).

Copy link
Copy Markdown
Author

@vladiskuz vladiskuz Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added logic with RequiredPrivileges to use the capability in only with Linux

@twz123 twz123 marked this pull request as ready for review March 19, 2026 17:16
@twz123 twz123 requested review from a team as code owners March 19, 2026 17:16
@twz123 twz123 requested review from juanluisvaladas and ncopa March 19, 2026 17:16
@vladiskuz vladiskuz force-pushed the cap-net-bind branch 3 times, most recently from 6e93502 to afbaa07 Compare March 24, 2026 10:55
@twz123
Copy link
Copy Markdown
Member

twz123 commented Mar 26, 2026

Looks good so far! The linter has some nits, tho ...

@vladiskuz
Copy link
Copy Markdown
Author

vladiskuz commented Mar 30, 2026
edited
Loading

@twz123t looks like all the issues are fixed. But I don't see the new integration test running. What did I do wrong?
upd: looks like I need to add it to Makefile.variables

@vladiskuz
Pass CAP_NET_BIND_SERVICE to kube-apiserver
bcbb512 
When the Kubernetes API server is configured to listen
on a privileged port (< 1024), k0s now automatically
grants the CAP_NET_BIND_SERVICE Linux capabilibty to
the kube-apiserver process. This allows the non-root
process to bind to ports like 443 without requiring
full root privileges.

Signed-off-by: Vladislav Kuzmin <vladiskuz@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twz123 twz123 twz123 left review comments

@ncopa ncopa Awaiting requested review from ncopa ncopa is a code owner automatically assigned from k0sproject/k0s-maintainers

@juanluisvaladas juanluisvaladas Awaiting requested review from juanluisvaladas juanluisvaladas is a code owner automatically assigned from k0sproject/k0s-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Pass CAP_NET_BIND_SERVICE to kube-apiserver

2 participants

@vladiskuz @twz123