Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Local] Allow disabling port publishing on host network #3127

Merged
merged 6 commits into from
Jan 18, 2024
Merged

[Local] Allow disabling port publishing on host network #3127

merged 6 commits into from
Jan 18, 2024

Conversation

TomerShor
Copy link
Contributor

@TomerShor TomerShor commented Jan 16, 2024
edited

Currently we do not have an option for local (docker) environments to disable publishing the function container port on the host network. The only options are to select a specific port or a a random port.
This can cause possible security issues for users who do not want to expose their function on external URLs.

In this PR I've added to option to avoid publishing the function on the host network using the trigger attributes, which can be set in the function spec as follows:

spec:
  triggers:
    http-trigger:
      attributes:
        disablePortPublishing: true

Until this feature will be enabled in the GUI as well, this can also be set via trigger annotations, with the followin annotation:

"nuclio.io/disable-port-publishing": "true"

Note - this is already supported in a Kubernetes environment.

Resolves #2468

rokatyy
rokatyy reviewed Jan 17, 2024
View reviewed changes
Copy link
Contributor

@rokatyy rokatyy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one question regarding implementation. Annotation part looks good to me.
Also - maybe it is worth covering this in our docs? (For instance, here)

@TomerShor
Copy link
Contributor Author

TomerShor commented Jan 17, 2024
edited

@rokatyy Yes, once we go on a specific way to set it up I'll add it do the docs, not development docs but rather function configuration docs.
But PR is still a draft 😉

@github-actions github-actions bot added the docs label Jan 17, 2024
@TomerShor TomerShor changed the title [Local] Allow not publishing function on host network [Local] Allow disabling port publishing on host network Jan 18, 2024
@TomerShor TomerShor marked this pull request as ready for review January 18, 2024 08:11
@liranbg liranbg self-requested a review January 18, 2024 08:29
rokatyy
rokatyy approved these changes Jan 18, 2024
View reviewed changes
Copy link
Contributor

@rokatyy rokatyy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!
Just 2 minor suggestion :)

pkg/platform/local/platform.go Outdated Show resolved Hide resolved
pkg/platform/local/test/platform_test.go Outdated Show resolved Hide resolved
@TomerShor TomerShor merged commit 897c934 into nuclio:development Jan 18, 2024
11 checks passed
@TomerShor TomerShor deleted the feature/local-expose-external branch January 18, 2024 11:01
@TomerShor TomerShor mentioned this pull request Jan 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rokatyy rokatyy rokatyy approved these changes

@liranbg liranbg Awaiting requested review from liranbg

Assignees
No one assigned
Labels
docs platform/local platform trigger/http trigger/kafka
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

security: disable port binding
2 participants
@TomerShor @rokatyy