Default webhook port (443) is problematic for operators running as non-root

[joelanford]

If left unset, the manager defaults to running the webhook server on port 443.

Since it is a security best practice to run pods as a non-root user, this default can cause unexpected problems for developers using controller-runtime directly (nonroot users typically can't open listeners on low-numbered ports).

In Kubebuilder, the default main.go scaffold hardcodes this value to 9443, which solves the problem for users of Kubebuilder that scaffolded their project somewhat recently, but all other users are left figuring this out on their own.

I'm wondering if we should change the default value to 9443 to match Kubebuilder's current scaffold configuration?

This would be a breaking change.

[vincepri]

+1, we should change the port to 9443 or similar, let's do this in the next milestone. Anyone tackling this issue, you should title your PR as ⚠️, given that's a breaking change and it'll probably need release notes.

/milestone v0.7.x
/priority important-soon
/kind cleanup
/help
/good-first-issue

[k8s-ci-robot]

@vincepri:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

+1, we should change the port to 9443 or similar, let's do this in the next milestone. Anyone tackling this issue, you should title your PR as ⚠️, given that's a breaking change and it'll probably need release notes.

/milestone v0.7.x
/priority important-soon
/kind cleanup
/help
/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jiachengxu]

/assign