I seem to be having an issue on microk8s that when I run a pod / container as non-root in Microk8s it cannot bind to port 80 even though I had the NET_BIND_SERVICE capability enabled. It works however if I run the container as root. I can use the NET_BIND_SERVICE capability fine on Docker so I am unsure why it is an issue on Microk8s. Could anyone help me resolve this please?
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
com.monitoring.cadvisor: "true"
kompose.cmd: kompose convert -v -f ../../Docker Compose/gotify.yml --out ./gotify.yml
kompose.version: 1.26.1 (a9d05d509)
creationTimestamp: null
labels:
io.kompose.service: gotify-deployment
io.kompose.network/gotify: "true"
name: gotify
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: gotify-deployment
strategy:
type: Recreate
template:
metadata:
annotations:
com.monitoring.cadvisor: "true"
kompose.cmd: kompose convert -v -f ../../Docker Compose/gotify.yml --out ./gotify.yml
kompose.version: 1.26.1 (a9d05d509)
creationTimestamp: null
labels:
io.kompose.network/gotify: "true"
io.kompose.service: gotify-deployment
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gotify
operator: In
values:
- "true"
# securityContext:
# runAsNonRoot: true
# runAsUser: 1002
# runAsGroup: 1002
containers:
- env:
- name: GOTIFY_DEFAULTUSER_PASS
value: custom
- name: TZ
value: Europe/London
image: gotify/server:2.1.7
imagePullPolicy: IfNotPresent
name: gotify
resources:
limits:
cpu: "0.25"
memory: "256Mi"
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
