I've built a docker image based on httpd:2.4. In my k8s deployment I've defined the following securityContext
:
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 431
allowPrivilegeEscalation: false
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80
in httpd.conf
to Listen {Some port > 1024}
.
When I want to run the docker image I've build normally (i.e. on default port 80) I have the following port settings:
spec.template.spec.containers[0].ports[0].containerPort
: 80spec.ports[0].targetPort
: 80spec.ports[0].port
: 8080spec.rules[0].http.paths[0].backend.servicePort
: 8080Given these settings the service becomes accessible at the host url provided in the ingress manifest. Again, this is without the changes to httpd.conf
. When I make those changes (using Listen 8000
), and add in the securityContext
section to the deployment, I change the various manifests accordingly:
spec.template.spec.containers[0].ports[0].containerPort
: 8000spec.ports[0].targetPort
: 8000spec.ports[0].port
: 8080spec.rules[0].http.paths[0].backend.servicePort
: 8080Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. Have I set the ports correctly? Is there something else I need to do?
kubectl get pods
kubectl logs pod_name
kubectl exec -it <pod_name> -- bash
$ curl http://localhost:8000
If the above didn't work, check your httpd.conf.
kubectl exec -it <ingress pod_name> -- bash
$ curl http://svc:8080
You can check ingress logs too.
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80
You got it, that's the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes' abstracts like Deployment's Pod spec or Service/Ingress resource object definitions. So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers.
One key information for the 'containerPort' field in Pod spec, that you are trying to manually adjust, and which is not so apparent. It's there primarily for informational purposes, and does not cause opening port on container level. According Kubernetes API reference:
Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.
I hope this will help you to move on