When running as non-root, additional permissions are required to be able to use a socket to send and receive ICMP messages. In Kernel 3.+ the system control `net.ipv4.ping_group_range` is introduced which allows giving non-root users just the permission to send and receive ICMP messages. In Docker we can pass sysctls into the docker-compose.yml (10001 is our Minion id):
Running In Kubernetes < 1.18 it would be required to whitelist the net.ipv4.ping_group_range and set it in the deployment like this:
In case we run in environments where we don't have the possibility to whitelist net.ipv4.ping_group_range, the only option to get ICMP messages processed we have to give the CAP_NET_RAW capability to the JVM process in the Minion.
Conditions we have to use CAP_NET_RAW:
- Running on managed Kubernetes < 1.18 where we don't have control to whitelist
- Running on Linux Kernels which don't have net.ipv4.ping_group_range support