Default webhook port (443) is problematic for operators running as non-root #1018
Labels
good first issue
Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
kind/cleanup
Categorizes issue or PR as related to cleaning up code, process, or technical debt.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
If left unset, the manager defaults to running the webhook server on port 443.
Since it is a security best practice to run pods as a non-root user, this default can cause unexpected problems for developers using controller-runtime directly (nonroot users typically can't open listeners on low-numbered ports).
In Kubebuilder, the default
main.go
scaffold hardcodes this value to9443
, which solves the problem for users of Kubebuilder that scaffolded their project somewhat recently, but all other users are left figuring this out on their own.I'm wondering if we should change the default value to
9443
to match Kubebuilder's current scaffold configuration?This would be a breaking change.
The text was updated successfully, but these errors were encountered: