Docker container port

[lorenzo95]

Hi there.

I am using the container on k8s with security policies enabled. In order to run it I have to shut of some of the basic kubernetes security enforcements. think the container requires higher privileges then it actually needs due to the fact that it starts caddy on 443. If the port was above 1024 lets say 8443 or something like it, it could start without requiring root to do so.

Or should I maybe just overwrite the caddyfile? That would probably be a good alternative since it's behind an ingress anyway. I haven't tried it yet.

Any suggestions on how to run the container without requiring root privileges?

Thank you!

[routerino]

It seems odd that kubernetes would care that a container exposes lower ports, since the port mapping can be arbitrary. The container runs as an unprivileged user.

Yes, by default the container copies the Caddyfile to /data/Caddyfile, you can put in a custom one there to do whatever you like. You can see the startup script here and default Caddyfile here

I'll add an environment variable to change the port next release.

[lorenzo95]

Oh sorry, no. Kubernetes doesn't care about the port. It cares about the requirement of the root permission that is needed with any port under 1024.

Basically, a user without root privileges can't run caddy on port 443. That is no different from any other linux.
Kubernetes will go in and say... hey, this requires root privileges to run so I won't start your container.

I'll give a caddyfile a shot. If I get it working I'll post it.

[routerino]

@lorenzo95 the new release is out now, can you set an env variable for a custom port and see if it fixes your problem? see here

[lorenzo95]

Not all the way yet, no.

It still opens port 80 for acme http verification. I disabled all that and moved the port. Here is my caddyfile that works with the kubernetes baseline security policy enforced:

http://{$DOMAIN}:8080 {
  tls {
	issuer acme {
	  disable_http_challenge
	  disable_tlsalpn_challenge
	}
  }
  redir / /web
  uri strip_prefix /web
  file_server {
	root /web
  }
}

And then I just pass DOMAIN as an env variable. There might be easier ways but it's my first time using caddy.
Of course self signed certs could stay enabled, that doesn't really interfere with anything.

Here is a link to what I keep referring to in case someone thinks I am crazy ;)
Pod Security Standards

[routerino]

Not all the way yet, no.

It still opens port 80 for acme http verification. I disabled all that and moved the port. Here is my caddyfile that works with the kubernetes baseline security policy enforced:

http://{$DOMAIN}:8080 {
  tls {
	issuer acme {
	  disable_http_challenge
	  disable_tlsalpn_challenge
	}
  }
  redir / /web
  uri strip_prefix /web
  file_server {
	root /web
  }
}

And then I just pass DOMAIN as an env variable. There might be easier ways but it's my first time using caddy. Of course self signed certs could stay enabled, that doesn't really interfere with anything.

Here is a link to what I keep referring to in case someone thinks I am crazy ;) Pod Security Standards

Ah, I see. caddy opens up port 80 even if port 80 isn't being used by the configuration. That should be a simple adjustment, just default the HTTP port to 8080 and otherwise ignore it.

[routerino]

Fixed with 657d929

[routerino]

@lorenzo95 the new docker container can set ports for both http and https via environment variables, no custom caddyfile required.