-
-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker container port #14
Comments
It seems odd that kubernetes would care that a container exposes lower ports, since the port mapping can be arbitrary. The container runs as an unprivileged user. Yes, by default the container copies the I'll add an environment variable to change the port next release. |
Oh sorry, no. Kubernetes doesn't care about the port. It cares about the requirement of the root permission that is needed with any port under 1024. Basically, a user without root privileges can't run caddy on port 443. That is no different from any other linux. I'll give a caddyfile a shot. If I get it working I'll post it. |
@lorenzo95 the new release is out now, can you set an env variable for a custom port and see if it fixes your problem? see here |
Not all the way yet, no. It still opens port 80 for acme http verification. I disabled all that and moved the port. Here is my caddyfile that works with the kubernetes baseline security policy enforced:
And then I just pass DOMAIN as an env variable. There might be easier ways but it's my first time using caddy. Here is a link to what I keep referring to in case someone thinks I am crazy ;) |
Ah, I see. caddy opens up port 80 even if port 80 isn't being used by the configuration. That should be a simple adjustment, just default the HTTP port to 8080 and otherwise ignore it. |
Fixed with 657d929 |
@lorenzo95 the new docker container can set ports for both http and https via environment variables, no custom caddyfile required. |
Hi there.
I am using the container on k8s with security policies enabled. In order to run it I have to shut of some of the basic kubernetes security enforcements. think the container requires higher privileges then it actually needs due to the fact that it starts caddy on 443. If the port was above 1024 lets say 8443 or something like it, it could start without requiring root to do so.
Or should I maybe just overwrite the caddyfile? That would probably be a good alternative since it's behind an ingress anyway. I haven't tried it yet.
Any suggestions on how to run the container without requiring root privileges?
Thank you!
The text was updated successfully, but these errors were encountered: