Use port higher than 1024 to be able to run as a non-root user #960
Conversation
|
Hi @vpavlin. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
| @@ -83,7 +85,7 @@ func main() { | |||
| } | |||
|
|
|||
| log.Info("Setting up webhooks") | |||
| if err := webhook.AddToManager(mgr); err != nil { | |||
| if err := webhook.AddToManager(mgr, int32(webhookPort)); err != nil { | |||
There was a problem hiding this comment.
why not var webhookPort int32 in line 42?
There was a problem hiding this comment.
Because defining the variable as int32 fails in flag.IntVar with
v1alpha3/main.go:47:14: cannot use &webhookPort (type *int32) as type *int in argument to flag.IntVar
So I tried flag.Var, but int32 does not have flag.Set method implemented
*int32 does not implement flag.Value (missing Set method)
So the simplest solution seemed to be to just load int and change the type. Do you have different suggestion for solution?
|
|
||
| flag.StringVar(&experimentSuggestionName, "experiment-suggestion-name", | ||
| "default", "The implementation of suggestion interface in experiment controller (default|fake)") | ||
| flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") | ||
| flag.IntVar(&webhookPort, "webhook-port", 443, "The port number to be used for admission webhook server.") |
vpavlin
force-pushed
the
feature/parameterize-webhook-port
branch
from
13ecd46
to
599ced1
Compare
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hougangliu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
This PR allows Katib Controller to run as a non-root user. This is important from security point of view and especially to enable Katib on enterprise distributions of Kubernetes like OpenShift.
This PR adds a parameter
--webhook-portto allow configuring port > 1024 for admission webhooks and also changes the default port (443) to8443.It also changes the
USERinDockerfileas it is not necessary to run as root with this change even on the vanilla Kubernetes.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #959
Special notes for your reviewer:
No image changes
Release note:
This change is