skip to Main Content

I’ve built a docker image based on httpd:2.4. In my k8s deployment I’ve defined the following securityContext:

securityContext:
  privileged: false
  runAsNonRoot: true
  runAsUser: 431
  allowPrivilegeEscalation: false

In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80 in httpd.conf to Listen {Some port > 1024}.

When I want to run the docker image I’ve build normally (i.e. on default port 80) I have the following port settings:

  • deployment
    • spec.template.spec.containers[0].ports[0].containerPort: 80
  • service
    • spec.ports[0].targetPort: 80
    • spec.ports[0].port: 8080
  • ingress
    • spec.rules[0].http.paths[0].backend.servicePort: 8080

Given these settings the service becomes accessible at the host url provided in the ingress manifest. Again, this is without the changes to httpd.conf. When I make those changes (using Listen 8000), and add in the securityContext section to the deployment, I change the various manifests accordingly:

  • deployment
    • spec.template.spec.containers[0].ports[0].containerPort: 8000
  • service
    • spec.ports[0].targetPort: 8000
    • spec.ports[0].port: 8080
  • ingress
    • spec.rules[0].http.paths[0].backend.servicePort: 8080

Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. Have I set the ports correctly? Is there something else I need to do?

2

Answers


  1. Check if pod is Running

    kubectl get pods
    kubectl logs pod_name
    

    Check if the URL is accessible within the pod

    kubectl exec -it <pod_name> -- bash
    $ curl http://localhost:8000
    

    If the above didn’t work, check your httpd.conf.

    Check with the service name

    kubectl exec -it <ingress pod_name> -- bash
    $ curl http://svc:8080
    

    You can check ingress logs too.

    Login or Signup to reply.
  2. In order to get this container to run properly as non-root apache
    needs to be configured to bind to a port > 1024, as opposed to the
    default 80

    You got it, that’s the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes’ abstracts like Deployment’s Pod spec or Service/Ingress resource object definitions. So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers.

    One key information for the ‘containerPort’ field in Pod spec, that you are trying to manually adjust, and which is not so apparent. It’s there primarily for informational purposes, and does not cause opening port on container level. According Kubernetes API reference:

    Not specifying a port here DOES NOT prevent that port from being
    exposed. Any port which is listening on the default “0.0.0.0” address
    inside a container will be accessible from the network. Cannot be updated.

    I hope this will help you to move on

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search