From 61e5188d5f4ad654edfdcc4bc8d9e0a1a68c1d2a Mon Sep 17 00:00:00 2001 From: Vaclav Pavlin Date: Fri, 13 Dec 2019 01:44:54 +0100 Subject: [PATCH] Use port higher than 1024 to be able to run as a non-root user (#960) --- cmd/katib-controller/v1alpha3/Dockerfile | 1 + cmd/katib-controller/v1alpha3/main.go | 4 +++- manifests/v1alpha3/katib-controller/katib-controller.yaml | 4 +++- manifests/v1alpha3/katib-controller/service.yaml | 2 +- pkg/webhook/v1alpha3/webhook.go | 3 ++- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/cmd/katib-controller/v1alpha3/Dockerfile b/cmd/katib-controller/v1alpha3/Dockerfile index a1ed8c87c75..31e4aba1022 100644 --- a/cmd/katib-controller/v1alpha3/Dockerfile +++ b/cmd/katib-controller/v1alpha3/Dockerfile @@ -18,4 +18,5 @@ FROM alpine:3.7 WORKDIR /app RUN apk update && apk add ca-certificates COPY --from=build-env /go/src/github.com/kubeflow/katib/cmd/katib-controller/katib-controller . +USER 1000 ENTRYPOINT ["./katib-controller"] diff --git a/cmd/katib-controller/v1alpha3/main.go b/cmd/katib-controller/v1alpha3/main.go index 4345a63c987..9cb3e73b37f 100644 --- a/cmd/katib-controller/v1alpha3/main.go +++ b/cmd/katib-controller/v1alpha3/main.go @@ -39,10 +39,12 @@ func main() { var experimentSuggestionName string var metricsAddr string + var webhookPort int flag.StringVar(&experimentSuggestionName, "experiment-suggestion-name", "default", "The implementation of suggestion interface in experiment controller (default|fake)") flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") + flag.IntVar(&webhookPort, "webhook-port", 8443, "The port number to be used for admission webhook server.") flag.Parse() @@ -83,7 +85,7 @@ func main() { } log.Info("Setting up webhooks") - if err := webhook.AddToManager(mgr); err != nil { + if err := webhook.AddToManager(mgr, int32(webhookPort)); err != nil { log.Error(err, "unable to register webhooks to the manager") os.Exit(1) } diff --git a/manifests/v1alpha3/katib-controller/katib-controller.yaml b/manifests/v1alpha3/katib-controller/katib-controller.yaml index 25b4de9a41e..b84107bc268 100644 --- a/manifests/v1alpha3/katib-controller/katib-controller.yaml +++ b/manifests/v1alpha3/katib-controller/katib-controller.yaml @@ -23,8 +23,10 @@ spec: image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller imagePullPolicy: IfNotPresent command: ["./katib-controller"] + args: + - '--webhook-port=8443' ports: - - containerPort: 443 + - containerPort: 8443 name: webhook protocol: TCP - containerPort: 8080 diff --git a/manifests/v1alpha3/katib-controller/service.yaml b/manifests/v1alpha3/katib-controller/service.yaml index efcc6ec2327..4103ef84a52 100644 --- a/manifests/v1alpha3/katib-controller/service.yaml +++ b/manifests/v1alpha3/katib-controller/service.yaml @@ -11,7 +11,7 @@ spec: ports: - port: 443 protocol: TCP - targetPort: 443 + targetPort: 8443 name: webhook - name: metrics port: 8080 diff --git a/pkg/webhook/v1alpha3/webhook.go b/pkg/webhook/v1alpha3/webhook.go index 40fa929effd..a54758f7b57 100644 --- a/pkg/webhook/v1alpha3/webhook.go +++ b/pkg/webhook/v1alpha3/webhook.go @@ -35,7 +35,7 @@ const ( katibControllerName = "katib-controller" ) -func AddToManager(m manager.Manager) error { +func AddToManager(m manager.Manager, port int32) error { server, err := webhook.NewServer("katib-admission-server", m, webhook.ServerOptions{ CertDir: "/tmp/cert", BootstrapOptions: &webhook.BootstrapOptions{ @@ -53,6 +53,7 @@ func AddToManager(m manager.Manager) error { ValidatingWebhookConfigName: "katib-validating-webhook-config", MutatingWebhookConfigName: "katib-mutating-webhook-config", }, + Port: port, }) if err != nil { return err