New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Disable automatic publishing of all ports for kube play #17028
Comments
A friendly reminder that this issue had no activity for 30 days. |
Any thoughts on my proposal? |
SGTM
|
this SGTM too |
Agreed, SGTM |
A friendly reminder that this issue had no activity for 30 days. |
@ygalblum @umohnani8 care to work on this? |
Just checking whether this feature will allow k8s deployments where containers expose the same Sample
Running Edit for more context: Container with ID
|
@rhatdan is this still relevant? If I understand everything correctly the sweetspot should be somewhere between discussion here and the comments below #16766. To summarize, there should be a flag Cause if I catch everything right, I would like to work on this. |
I believe you are correct, but I am no expert in Kubernetes. |
@umohnani8 @ygalblum Is his assumption correct? |
@Shikachuu yes, your description is correct. The current behavior is that all the ports are published. If the host is port is set via either The |
@MarkoH17 Are you sure this configuration is valid? AFAIK all containers in a single pod share the same network namespace. As a result, you should not be able to reuse a containerPort. |
I suggest
(Emphasis mine.) Yes, this makes exposing Sure, implementing
Multiple Basically,
To me this boils down to a documentation issue for |
@ygalblum You are definitely right - the containers share a pod and encounter a collision when a containerPort is reused. Without knowing how things work here under the hood, does it make sense to support a Deployment where containerPorts may overlap? |
@joelpurra While I agree with your analysis, the problem is with backward compatibility. The current behavior is the equivalent of |
Sorry, but, the main problem lives "under the hood". This will just not work. The second application will fail to open the port inside of the container regardless to how it's exposed on the host. |
Then we agree that is a compatibility and security issue, when compared to "standard" Kubernetes YAML. I agree that it is a backward compatibility problem for For reference, there are nearly half a million YAML files containing While recently moving servers/services to rootless This pod is running on a publicly exposed server, receiving thousands of port scan requests per day. There's no advanced layered protection, but at least I have a restrictive firewall set up. I still do not like the surprise "pod/container breakout" port exposure, from a database server port no less; my take-away is that it was not far away from an accidental data leak. |
@joelpurra As I wrote, I completely understand your point. But, I know from previous cases that default behavior changes trigger quite the storm. |
A security issue is a good reason to change default behavior. I like the idea of adding a @Luap99 WDYT? |
Well not binding a host port is exactly what podman did until #15946. I don't understand why it was changed like this when it is neither how k8s behaves (not binding) nor how podman run would behave (binding a random port). I would even argue that #15946 was already a breaking change. Adding a |
So the flag should be |
SGTM |
I also just got bit by this issue after upgrading from EL
From my point of view that was already a breaking change which should be reverted sooner then later. Also comparing it with the behavior of docker compose, where the ports also must be explicitly defined, users migrating from compose to podman will most likely also run into this issue. In my testing setup here all pods are using a bridge network, where the pods should listen to and external access is only possible through an ingress pod communicating over the bridge network. Running rootless without adjusting the |
@schewara, thanks for sharing. If you are using RHEL and desire a backport, please go through the Red Hat customer channels (e.g., Bugzilla). |
… of all container ports
Glad this is already reported, just ran into the same :) |
Is there a workaround, can I use --publish with a '0' port to prevent it from opening a port on the host? |
Answered that one myself, no, it requires 1-65535 :) |
I hope that podman do not expose container port to host port when there is no hostPort describe in k8s yaml file while running |
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Fixes containers#17028
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Fixes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes containers#17028 Signed-off-by: Peter Werner <wpw.peter@gmail.com>
Feature request description
Currently
podman kube play
automatically publishes all ports which are defined in Kubernetes YAMLs ascontainerPort
.Kubernetes YAML example:
Podman command:
podman kube play all-ports-published-reproducer.yaml
Output of
podman port --latest
:8082/tcp -> 0.0.0.0:8082
Users should be able to disable this behavior to prevent accidentally publishing ports to the outside world.
Suggest potential solution
Similiarly to #16880 a new flag
--publish-all
like the one in podman run should be added topodman kube play
.This flag should accept a boolean parameter which is
true
by default to preserve the current behavior.If
--publish-all=false
is set ports should not be automatically published and only be published if the Kubernetes YAML explicitly defines thehostPort
field.Kubernetes YAML example with explicit
hostPort
set.Have you considered any alternatives?
Podman Quadlets would be an alternative but would prevent users from using already existing Kubernetes YAMLs / Helm charts.
Additional context
#16766 introduces a change to publish ports on a random port instead of reusing the
containerPort
field of the Kubernetes YAML ifhostPort
is not set.If the new flag
--publish-all
is set tofalse
and thehostPort
field is explicitly set to0
the port should be published on a random port.Even if firewalld is active on the server netavark currently allows these automatically published ports to be reachable from the outside world, which might be a security concern.
The text was updated successfully, but these errors were encountered: