Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ingress: change hostnetwork default port to unprivileged 8080 #32159

Merged
merged 1 commit into from
Apr 24, 2024
Merged

ingress: change hostnetwork default port to unprivileged 8080 #32159

merged 1 commit into from
Apr 24, 2024

Conversation

mhofstetter
Copy link
Member

@mhofstetter mhofstetter commented Apr 24, 2024
edited

Currently, when using Ingress hostnetwork support, the Envoy listener port defaults to the privileged port 80 if no other port is defined via Helm Chart (Shared Ingress) or K8s Annotation (Dedicated Ingress).

This results in bind errors because the Envoy process of the Cilium Proxy doesn't have the respective capabilities (NET_BIND_SERVICE) to bind to privileged ports.

Even if it should eventually become possible to enable binds on privileged ports - the default will be that privileged binds aren't allowed. Hence, this commit changes the default port to the unprivileged port 8080.

Note: Ingress on HostNetwork is an unreleased feature - hence it should be OK to change the default port.

Relates to: #32158
Relates to: #30840

@mhofstetter
ingress: change hostnetwork default port to unprivileged 8080
fee03d3 
Currently, when using Ingress hostnetwork support, the Envoy listener port
defaults to the privileged port `80` if no other port is defined via Helm Chart
(Shared Ingress) or K8s Annotation (Dedicated Ingress).

This results in bind errors because the Envoy process of the Cilium Proxy doesn't
have the respective capabilities (`NET_BIND_SERVICE`) to bind to privileged ports.

Therefore, this commit changes the default port to `8080` (unprivileged).

Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
@mhofstetter mhofstetter added kind/cleanup This includes no functional changes. release-note/misc This PR makes changes that have no direct user impact. area/servicemesh GH issues or PRs regarding servicemesh labels Apr 24, 2024
@mhofstetter
Copy link
Member Author

/test

@mhofstetter mhofstetter marked this pull request as ready for review April 24, 2024 17:26
@mhofstetter mhofstetter requested review from a team as code owners April 24, 2024 17:26
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 24, 2024
@sayboras sayboras added this pull request to the merge queue Apr 24, 2024
Merged via the queue into cilium:main with commit 17516f1 Apr 24, 2024
65 checks passed
@mhofstetter mhofstetter deleted the pr/mhofstetter/ingress-hostnetwork-def-port-8080 branch April 25, 2024 06:00
This was referenced Apr 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
area/servicemesh GH issues or PRs regarding servicemesh kind/cleanup This includes no functional changes. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mhofstetter @sayboras