Pods restart loop with error "[emerg] 23#23: bind() to 0.0.0.0:80 failed (13: Permission denied)" in latest chart/version for daemonset #3932
Description
Describe the bug
Using latest image and helm chart and upgrading from v2.4.2 I am getting permission denied errors in nginx pods which causes constant restarts. It appears the issue revolves around these recent securityContext changes PR 3722 and PR 3573.
To Reproduce
Steps to reproduce the behavior:
- Deploy v3.1.1 (Chart 0.17.1) in daemonset configuration by using
helm template... thenkubectl apply. - see sample values.yaml to see our settings. - Pods will not successfully start - continuously restart
- View logs on a restarting pod and will see
2023/05/22 17:08:45 [emerg] 23#23: bind() to 0.0.0.0:80 failed (13: Permission denied) - If change
daemonset.spec.template.spec.containers.securityContext.allowPrivilegeEscalationtotrue(current setting isfalsein chart template) and restart the ds it works fine and pods start. This appears to be the same setting that was present in v.2.4.2 which we currently run without issue.
Expected behavior
I expect the pods to start successfully even with the new securityContext in place.
Your environment
- Version of the Ingress Controller - v3.1.1 with Chart 0.17.1
- Version of Kubernetes - 1.23
- Kubernetes platform (e.g. Mini-kube or GCP) - EKS
- Using NGINX or NGINX Plus : NGINX
Additional context
I can provide more information if needed. I would adjust the daemonset.spec.template.spec.containers.securityContext.allowPrivilegeEscalation to false to fix this ourselves (albeit reverting to a previously less secure setup that was present in v.2.4.2), but that param is not configurable in the chart.
v3.1.1 Images tried:nginx/nginx-ingress:3.1.1-ubi and public.ecr.aws/nginx/nginx-ingress:3.1.1-ubi (but we use the aws ecr public image due to dockerhub throttles)