Revert "Fix port binding with reduced privileges (#3574)"

This reverts commit 573828e.

Author: sjberman

build/Dockerfile.nginx

@@ -16,10 +16,15 @@ RUN --mount=type=bind,from=nginx-files,src=nginx_signing.rsa.pub,target=/etc/apk
     printf "%s\n" "https://packages.nginx.org/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache bash \
+RUN apk add --no-cache libcap bash \
     && mkdir -p /usr/lib/nginx/modules \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
     # Update packages for CVE-2025-32414 and CVE-2025-32415
     && apk --no-cache upgrade libxml2 \
+    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log

build/Dockerfile.nginxplus

@@ -22,8 +22,13 @@ RUN --mount=type=secret,id=nginx-repo.crt,dst=/etc/apk/cert.pem,mode=0644 \
     && printf "%s\n" "https://pkgs.nginx.com/nginx-agent/alpine/v$(egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release)/main" >> /etc/apk/repositories \
     && apk add --no-cache nginx-plus nginx-plus-module-njs nginx-plus-module-otel nginx-agent=${NGINX_AGENT_VERSION#v}
 
-RUN apk add --no-cache bash \
+RUN apk add --no-cache libcap bash \
     && mkdir -p /usr/lib/nginx/modules \
+	&& setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+	&& setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx \
+    && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+    && setcap -v 'cap_net_bind_service=+ep' /usr/sbin/nginx-debug \
+    && apk del libcap \
     # forward request and error logs to docker log collector
     && ln -sf /dev/stdout /var/log/nginx/access.log \
     && ln -sf /dev/stderr /var/log/nginx/error.log

charts/nginx-gateway-fabric/templates/scc.yaml

@@ -44,7 +44,6 @@ metadata:
   name: {{ include "nginx-gateway.scc-name" . }}-nginx
   labels:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
-allowPrivilegeEscalation: false
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
@@ -70,6 +69,8 @@ seLinuxContext:
   type: MustRunAs
 seccompProfiles:
 - runtime/default
+allowedCapabilities:
+- NET_BIND_SERVICE
 requiredDropCapabilities:
 - ALL
 volumes:

deploy/openshift/deploy.yaml

@@ -529,8 +529,9 @@ allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
-allowPrivilegeEscalation: false
 allowPrivilegedContainer: false
+allowedCapabilities:
+- NET_BIND_SERVICE
 apiVersion: security.openshift.io/v1
 fsGroup:
   ranges:

internal/controller/provisioner/objects.go

@@ -617,8 +617,8 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 					ImagePullPolicy: pullPolicy,
 					Ports:           containerPorts,
 					SecurityContext: &corev1.SecurityContext{
-						AllowPrivilegeEscalation: helpers.GetPointer(false),
 						Capabilities: &corev1.Capabilities{
+							Add:  []corev1.Capability{"NET_BIND_SERVICE"},
 							Drop: []corev1.Capability{"ALL"},
 						},
 						ReadOnlyRootFilesystem: helpers.GetPointer(true),
@@ -691,12 +691,6 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 			SecurityContext: &corev1.PodSecurityContext{
 				FSGroup:      helpers.GetPointer[int64](1001),
 				RunAsNonRoot: helpers.GetPointer(true),
-				Sysctls: []corev1.Sysctl{
-					{
-						Name:  "net.ipv4.ip_unprivileged_port_start",
-						Value: "0",
-					},
-				},
 			},
 			Volumes: []corev1.Volume{
 				{