Socket: permission denied when run in Kubernetes

[nadenf]

Describe the bug
I am running Cloudprober within a K3d Kubernetes environment.

On launch of the pod the following error message appears and the container doesn't start:

│ cloudprober.go:182] Error initializing cloudprober. Err: rpc error: code = Unknown desc = socket: permission denied                                                                                          │ 

Cloudprober Version
0.11.3

[manugarg]

@nadenf Good question! Sending ICMP packets requires special privileges on any host. ping program on Linux machines gets around this requirement either by using setuid (so that process opens socket with root privileges), or by setting the cap_net_raw capability on the process, e.g.

getcap /bin/ping
/bin/ping cap_net_raw=ep

On a typical Linux machine:
You could run cloudprober as root or give it cap_net_raw capability to avoid this error (you will need to set use_datagram_socket: false in your config), or you could run the following command to give your user's group ability to open ping sockets:
sudo sysctl -w net.ipv4.ping_group_range="0 <large valid group id>"

See the following for more details on this:

cloudprober/probes/ping/proto/config.proto

Line 18 in be17d75

// Use datagram socket for ICMP.

.

In Kubernetes environment, you'll need to add a securityContext to your pod config, to run the sysctl command above, for example:

apiVersion: ..
kind: Pod
metadata:
  name: cloudprober-with-sysctl
spec:
  securityContext:
    sysctls:
    - name: net.ipv4.ping_group_range
      value: "0 5000"
  ...

Another option is to give your container NET_RAW capability, like this (you'll need to set use_datagram_socket: false in your cloudprober config) :

apiVersion: ...
kind: Pod
metadata:
  name: cloudprober-with-net-cap-raw
spec:
  containers:
  - name: cloudprober
    image: cloudprober/cloudprober
    securityContext:
      capabilities:
        add: ["NET_RAW"]
...

Doing one of these should resolve your issue.