From a39f1146b065a0ef054933f912ede0476586fa83 Mon Sep 17 00:00:00 2001 From: Samuel Karp Date: Thu, 6 Mar 2025 16:30:45 -0800 Subject: [PATCH] docs: include note about unprivileged sysctls We changed the default setting for `enable_unprivileged_ports` and `enable_unprivileged_icmp` in the CRI plugin in https://github.com/containerd/containerd/pull/9348, but missed including this change in the release notes. Signed-off-by: Samuel Karp --- docs/containerd-2.0.md | 4 ++++ internal/cri/config/config.go | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/containerd-2.0.md b/docs/containerd-2.0.md index a81b7799f..dc6a28ed4 100644 --- a/docs/containerd-2.0.md +++ b/docs/containerd-2.0.md @@ -87,6 +87,10 @@ This features needs [runc](https://github.com/opencontainers/runc) v1.2.0 or lat The CRI plugin now supports [recursive read-only mounts](https://kubernetes.io/docs/concepts/storage/volumes/#read-only-mounts) so as to prohibit accidentally having writable submounts. +### Unprivileged ports and ICMP by default for CRI + +The CRI plugin now enables `net.ipv4.ip_unprivileged-port-start=0` and `net.ipv4.ping_group_range=0 2147483647` for containers that do not use the host network namespace or user namespaces. This enables containers to bind to ports below 1024 without granting `CAP_NET_BIND_SERVICE` and to run `ping` without `CAP_NET_RAW`. This default behavior change can be reverted by setting the `enable_unprivileged_ports` and `enable_unprivileged_icmp` options to `false` in the CRI plugin configuration. + ### Deprecation warnings can now be discovered via the Introspection API Deprecations warnings have been added to the `ServerResponse` for the introspection service (`/containerd.services.introspection.v1.Introspection/Server`) and to the `ctr` tool via `ctr deprecation list`. diff --git a/internal/cri/config/config.go b/internal/cri/config/config.go index a5c6b1d5b..6276ba27b 100644 --- a/internal/cri/config/config.go +++ b/internal/cri/config/config.go @@ -375,13 +375,10 @@ type RuntimeConfig struct { // EnableUnprivilegedPorts configures net.ipv4.ip_unprivileged_port_start=0 // for all containers which are not using host network // and if it is not overwritten by PodSandboxConfig - // Note that currently default is set to disabled but target change it in future, see: - // https://github.com/kubernetes/kubernetes/issues/102612 EnableUnprivilegedPorts bool `toml:"enable_unprivileged_ports" json:"enableUnprivilegedPorts"` // EnableUnprivilegedICMP configures net.ipv4.ping_group_range="0 2147483647" // for all containers which are not using host network, are not running in user namespace // and if it is not overwritten by PodSandboxConfig - // Note that currently default is set to disabled but target change it in future together with EnableUnprivilegedPorts EnableUnprivilegedICMP bool `toml:"enable_unprivileged_icmp" json:"enableUnprivilegedICMP"` // EnableCDI indicates to enable injection of the Container Device Interface Specifications // into the OCI config