From e54beaee2260b0531d0749a46e8ab2455a009f7b Mon Sep 17 00:00:00 2001 From: Zlatko Bratkovic Date: Mon, 12 Feb 2024 14:55:43 +0100 Subject: [PATCH] MAJOR: change http and https default ports to 8080 and 8443 with new s6 we completely move to rootless container setup, therefore binding to 80 and 443 is nto possible nor desired by default. if you are using external mode or nodePort setup this needs to be aligned --- deploy/haproxy-ingress-daemonset.yaml | 4 ++++ deploy/haproxy-ingress.yaml | 4 ++++ deploy/tests/config/3.ingress-controller.yaml | 8 ++++---- .../integration/timeout-server/timeoutserver_test.go | 2 +- deploy/tests/tnr/routeacl/suite_test.go | 2 +- documentation/annotations.md | 2 +- documentation/controller.md | 8 ++++---- documentation/custom-resources.md | 2 +- documentation/doc.yaml | 10 +++++----- pkg/annotations/common/main.go | 2 +- pkg/utils/flags.go | 4 ++-- 11 files changed, 28 insertions(+), 20 deletions(-) diff --git a/deploy/haproxy-ingress-daemonset.yaml b/deploy/haproxy-ingress-daemonset.yaml index 3624395c..be3e8a1b 100644 --- a/deploy/haproxy-ingress-daemonset.yaml +++ b/deploy/haproxy-ingress-daemonset.yaml @@ -152,6 +152,8 @@ spec: args: - --configmap=haproxy-controller/haproxy-kubernetes-ingress securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false runAsUser: 1000 runAsGroup: 1000 capabilities: @@ -159,6 +161,8 @@ spec: - ALL add: - NET_BIND_SERVICE + seccompProfile: + type: RuntimeDefault resources: limits: memory: 2560Mi diff --git a/deploy/haproxy-ingress.yaml b/deploy/haproxy-ingress.yaml index 3557f4be..4bb51830 100644 --- a/deploy/haproxy-ingress.yaml +++ b/deploy/haproxy-ingress.yaml @@ -153,6 +153,8 @@ spec: args: - --configmap=haproxy-controller/haproxy-kubernetes-ingress securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false runAsUser: 1000 runAsGroup: 1000 capabilities: @@ -160,6 +162,8 @@ spec: - ALL add: - NET_BIND_SERVICE + seccompProfile: + type: RuntimeDefault resources: limits: memory: 2560Mi diff --git a/deploy/tests/config/3.ingress-controller.yaml b/deploy/tests/config/3.ingress-controller.yaml index 944f8884..a9db63ea 100644 --- a/deploy/tests/config/3.ingress-controller.yaml +++ b/deploy/tests/config/3.ingress-controller.yaml @@ -80,13 +80,13 @@ spec: type: NodePort ports: - name: http - port: 80 - targetPort: 80 + port: 8080 + targetPort: 8080 nodePort: 30080 protocol: TCP - name: https - port: 443 - targetPort: 443 + port: 8443 + targetPort: 8443 nodePort: 30443 protocol: TCP - name: stat diff --git a/deploy/tests/integration/timeout-server/timeoutserver_test.go b/deploy/tests/integration/timeout-server/timeoutserver_test.go index 4f90f8dd..5b3399bf 100644 --- a/deploy/tests/integration/timeout-server/timeoutserver_test.go +++ b/deploy/tests/integration/timeout-server/timeoutserver_test.go @@ -132,7 +132,7 @@ func newAppSvc() *store.Service { { Name: "https", Protocol: "TCP", - Port: 443, + Port: 8443, Status: store.ADDED, }, }, diff --git a/deploy/tests/tnr/routeacl/suite_test.go b/deploy/tests/tnr/routeacl/suite_test.go index 862af87a..8435c3a1 100644 --- a/deploy/tests/tnr/routeacl/suite_test.go +++ b/deploy/tests/tnr/routeacl/suite_test.go @@ -154,7 +154,7 @@ func (suite *UseBackendSuite) UseBackendFixture() (eventChan chan k8s.SyncDataEv { Name: "https", Protocol: "TCP", - Port: 443, + Port: 8443, Status: store.ADDED, }, }, diff --git a/documentation/annotations.md b/documentation/annotations.md index aa05abe1..1365afe9 100644 --- a/documentation/annotations.md +++ b/documentation/annotations.md @@ -74,7 +74,7 @@ This is autogenerated from [doc.yaml](doc.yaml). Description can be found in [ge | [ssl-passthrough](#https) | [bool](#bool) | "false" | |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:| | [ssl-redirect](#https) | [bool](#bool) | "false" | https |:large_blue_circle:|:large_blue_circle:|:white_circle:| | [ssl-redirect-code](#https) | [301, 302, 303] | "302" | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:| -| [ssl-redirect-port](#https) | number | 443 | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:| +| [ssl-redirect-port](#https) | number | 8443 | ssl-redirect |:large_blue_circle:|:large_blue_circle:|:white_circle:| | [syslog-server](#logging) | [syslog](#syslog-fields) | "address:127.0.0.1, facility: local0, level: notice" | |:large_blue_circle:|:white_circle:|:white_circle:| | [standalone-backend](#standalone-backend) | [bool](#bool) | | |:white_circle:|:large_blue_circle:|:large_blue_circle:| | [timeout-check](#timeouts) | [time](#time) | | |:large_blue_circle:|:large_blue_circle:|:large_blue_circle:| diff --git a/documentation/controller.md b/documentation/controller.md index 06b97e96..58d85710 100644 --- a/documentation/controller.md +++ b/documentation/controller.md @@ -28,8 +28,8 @@ Image can be run with arguments: | [`--disable-ipv6`](#--disable-ipv6) | `false` | | [`--ipv4-bind-address`](#--ipv4-bind-address) | `0.0.0.0` | | [`--ipv6-bind-address`](#--ipv6-bind-address) | `::` | -| [`--http-bind-port`](#--http-bind-port) | `80` | -| [`--https-bind-port`](#--https-bind-port) | `443` | +| [`--http-bind-port`](#--http-bind-port) | `8080` | +| [`--https-bind-port`](#--https-bind-port) | `8443` | | [`--disable-http`](#--disable-http) | `false` | | [`--disable-https`](#--disable-https) | `false` | | [`--sync-period`](#--sync-period) | `5s` | @@ -478,7 +478,7 @@ Example: Possible values: -- A valid port in the range. Default: 80 +- A valid port in the range. Default: 8080 Example: @@ -496,7 +496,7 @@ Example: Possible values: -- A valid port in the range. Default: 443 +- A valid port in the range. Default: 8443 Example: diff --git a/documentation/custom-resources.md b/documentation/custom-resources.md index 21491cdb..ee6413df 100644 --- a/documentation/custom-resources.md +++ b/documentation/custom-resources.md @@ -165,5 +165,5 @@ spec: - protocol: TCP port: 443 name: https - targetPort: 443 + targetPort: 8443 ``` diff --git a/documentation/doc.yaml b/documentation/doc.yaml index 6eb52681..8e353b77 100644 --- a/documentation/doc.yaml +++ b/documentation/doc.yaml @@ -241,8 +241,8 @@ image_arguments: - argument: --http-bind-port description: Customize the HTTP frontend binding port. values: - - "A valid port in the range. Default: 80" - default: 80 + - "A valid port in the range. Default: 8080" + default: 8080 version_min: "1.5" example: --http-bind-port=8080 helm: |- @@ -251,8 +251,8 @@ image_arguments: - argument: --https-bind-port description: Customize the HTTPS frontend binding port. values: - - "A valid port in the range. Default: 443" - default: 443 + - "A valid port in the range. Default: 8443" + default: 8443 version_min: "1.5" example: --http-bind-port=8443 helm: |- @@ -1605,7 +1605,7 @@ annotations: type: number group: https dependencies: ssl-redirect - default: "443" + default: "8443" description: - Sets the HTTPS port to redirect to when HTTP to HTTPS traffic redirection is enabled when `ssl-redirect` is true. tip: diff --git a/pkg/annotations/common/main.go b/pkg/annotations/common/main.go index 12c8b18c..f2da4596 100644 --- a/pkg/annotations/common/main.go +++ b/pkg/annotations/common/main.go @@ -56,7 +56,7 @@ var DefaultValues = map[string]string{ "request-capture-len": "128", "ssl-redirect-code": "302", "request-redirect-code": "302", - "ssl-redirect-port": "443", + "ssl-redirect-port": "8443", "ssl-passthrough": "false", "server-ssl": "false", "scale-server-slots": "42", diff --git a/pkg/utils/flags.go b/pkg/utils/flags.go index d7ccfe43..679a0340 100644 --- a/pkg/utils/flags.go +++ b/pkg/utils/flags.go @@ -90,8 +90,8 @@ type OSArgs struct { DefaultBackendPort int `long:"default-backend-port" description:"port to use for default service" default:"6061"` ChannelSize int64 `long:"channel-size" description:"sets the size of controller buffers used to receive and send k8s events.NOTE: increase the value to accommodate large number of resources "` ControllerPort int `long:"controller-port" description:"port to listen on for controller data: prometheus, pprof" default:"6060"` - HTTPBindPort int64 `long:"http-bind-port" default:"80" description:"port to listen on for HTTP traffic"` - HTTPSBindPort int64 `long:"https-bind-port" default:"443" description:"port to listen on for HTTPS traffic"` + HTTPBindPort int64 `long:"http-bind-port" default:"8080" description:"port to listen on for HTTP traffic"` + HTTPSBindPort int64 `long:"https-bind-port" default:"8443" description:"port to listen on for HTTPS traffic"` SyncPeriod time.Duration `long:"sync-period" default:"5s" description:"Sets the period at which the controller syncs HAProxy configuration file"` CacheResyncPeriod time.Duration `long:"cache-resync-period" default:"10m" description:"Sets the underlying Shared Informer resync period: resyncing controller with informers cache"` HealthzBindPort int64 `long:"healthz-bind-port" default:"1042" description:"port to listen on for probes"`