Privileged ports in use by brokers

[epalchan]

In testing the Redis broker, we found that it attempts to expose port 80 on the container even when the spec.broker.port which controls the service port is set to a different port.
This may cause an issue in clusters where privileged ports (under 1024) are not bind-able with unprivileged users.

In our cluster the broker port enters a crash loop with the following error: unable to start HTTP server: error while opening the inbound connection: listen tcp :80: bind: permission denied

This issue was locally resolved by manually editing the security context of the pod and adding the following block to set port 80 as unprivileged:

securityContext:
  sysctls:
  - name: net.ipv4.ip_unprivileged_port_start
    value: "80"

This is officially considered as a safe namespaced sysctl since 1.22.

This has also been raised to Kubernetes to set as a potential default- kubernetes/kubernetes#102612

Could the container port be changed to reflect the port selected in the CRD spec.broker.port so that we can control the exposed port on the pod?

If not possible, could this be added to the pod templates for all resources that attempt to bind privileged ports as for security reasons we may not want to generally enable this within our clusters?

[sebgoa]

Yes that seems like that should be a good default. We will check what is going on. Thanks for reporting the issue

[odacremolbap]

Thanks for the issue @epalchan

We released a fix that sets the container port to 8080 (keeping the service at 80) that is backported to the triggermesh-core container v1.0.0 which is the one you are probably using.

Can you confirm it solves the issue?
(you might need to set the image pull policy to Always to update the triggermesh-core controller image)

[epalchan]

Thanks for the prompt update.

I can confirm the issue is solved and the new broker pods are now binding port 8080 and working as expected.

[jmcx]

@epalchan the fix is live!

https://github.com/triggermesh/triggermesh/releases/tag/v1.23.0

Cheers