Bind the healthz port for trident-node to localhost #1044
Description
Describe the solution you'd like
Adapt the current DaemonSets and Deployments with hostNetwork: true, to support configuring binding to the node-ip or localhost.
This would require to add a new environment variable to the DaemonSet or Deployment or to configure [::1] localhost for it.
using node-ip
containers:
- # ...
# name:
args:
- "--https_address=[::1]" # localhost bind
- "--https_address=$(KUBERNETES_HOST_IP)" # node-ip bind
- "--https_port={PROBE_PORT}"
ports:
- containerPort: {PROBE_PORT}
name: healthz
protocol: TCP
env:
- name: KUBERNETES_HOST_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.hostIP
startupProbe:
httpGet:
host: localhost
path: /liveness
scheme: HTTPS
port: {PROBE_PORT}
failureThreshold: 5
timeoutSeconds: 5
periodSeconds: 10
livenessProbe:
httpGet:
host: localhost
path: /liveness
scheme: HTTPS
port: {PROBE_PORT}
failureThreshold: 5
timeoutSeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
host: localhost
path: /readiness
scheme: HTTPS
port: {PROBE_PORT}
failureThreshold: 5
timeoutSeconds: 5
periodSeconds: 10
initialDelaySeconds: 15Describe alternatives you've considered
- Install a mutating Webhook which manipulates the
DaemonSetduring apply. - Hardcode
https_addressto bind tolocalhostor[::1]or127.0.0.1if it is only needed for kubelethealthandreadinessProbeandstartupProbeit does not need to be exposed to external systems.
Additional context
This ensures that the probe endpoint is not accidentally exposed into other networks. It should be configurable.
As long as it stays as it is all additional configured IPs on the node could accept traffic for the probe endpoint.