Skip to content

connectivity-check: Use unprivileged ports#12948

Merged
tgraf merged 1 commit intomasterfrom
pr/tgraf/unprivileged-ports
Aug 24, 2020
Merged

connectivity-check: Use unprivileged ports#12948
tgraf merged 1 commit intomasterfrom
pr/tgraf/unprivileged-ports

Conversation

@tgraf
Copy link
Copy Markdown
Contributor

@tgraf tgraf commented Aug 21, 2020

Use of port 80 causes unnecessary requirements for k8s environments to
allow pods to bind to privileged ports. Switch to port 8080 instead.

@tgraf
connectivity-check: Use unprivileged ports
30e526c 
Use of port 80 causes unnecessary requirements for k8s environments to
allow pods to bind to privileged ports. Switch to port 8080 instead.

Signed-off-by: Thomas Graf <thomas@cilium.io>
@tgraf tgraf added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Aug 21, 2020
@tgraf tgraf requested a review from a team August 21, 2020 11:57
@tgraf
Copy link
Copy Markdown
Contributor Author

tgraf commented Aug 21, 2020

test-me-please

sayboras
sayboras approved these changes Aug 21, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 💯

Just curious if there is any plan to use unprivileged ports for cilium services as well. If I am not wrong, some hubble related service might still use port 80.

@tgraf
Copy link
Copy Markdown
Contributor Author

tgraf commented Aug 21, 2020

test-me-please

@gandro
Copy link
Copy Markdown
Member

gandro commented Aug 24, 2020

@sayboras

Just curious if there is any plan to use unprivileged ports for cilium services as well. If I am not wrong, some hubble related service might still use port 80.

I think the Hubble related services you might be referring to (hubble-relay and hubble-ui) are only using port 80 on the service frontend, but not the container (target) port. hubble-relay listens on port 4245, hubble-ui on port 12000.

In that case, I don't think we suffer the problem this PR is addressing (which is fixing up the container ports)

@tgraf tgraf merged commit aacc6e7 into master Aug 24, 2020
@tgraf tgraf deleted the pr/tgraf/unprivileged-ports branch August 24, 2020 09:44
@brb brb mentioned this pull request Aug 25, 2020
Merged
This was referenced Aug 27, 2020
Merged
Merged
@kaworu kaworu mentioned this pull request Sep 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joestringer joestringer joestringer approved these changes

@sayboras sayboras sayboras approved these changes

Assignees

No one assigned

Labels

area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tgraf @gandro @joestringer @sayboras @kaworu