New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pilot: gateway listeners should respect targetPort #20838
Conversation
@costinm @howardjohn this is part of the multi-tenancy work: it enables non-privileged gateway pods |
/retest |
Interesting, seems like something we should have already done 🙂 would prefer if @rshriram also takes a look in case there is some reason this is a bad idea I am missing, but I assume you have done this on maistra for a while? |
ce35292
to
97fcb5d
Compare
}, | ||
}, | ||
}, | ||
[]string{"0.0.0.0_8080"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For ingress gateway, there is no inbound listener, so the target port does not take effect for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @hzxuzhonghu, is this a problem with the test I wrote or the implementation? I tested this with an ingress-gateway and it works, it creates a listener on the targetPort
instead of the port
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The listener of gateway should have nothing to do with the targetport.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't agree, that's the whole point of the change: to have an ingress-gateway
service with port: 80
and targetPort: 8080
, so that an Ingress
resource can still point to port 80 of the ingress-gateway service, but the pod running the gateway listens on port 8080, which does not require elevated privileges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We currently assume in the code that port
and targetPort
for services targeting gateways are always the same, which they don't have to be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood now
/retest |
* Respect targetPort in gateway listener generation * Change listening ports to unprivileged ports (>1023) * Update operator's golden files * Fix linting issues
This makes sure that you can define non-privileged
targetPort
s for your ingress-gateway services. It also changes the default listener ports to non-privileged ports.[x] Networking