I’ve built a docker image based on httpd:2.4. In my k8s deployment I’ve defined the following securityContext
:
securityContext:
privileged: false
runAsNonRoot: true
runAsUser: 431
allowPrivilegeEscalation: false
In order to get this container to run properly as non-root apache needs to be configured to bind to a port > 1024, as opposed to the default 80. As far as I can tell this means editing Listen 80
in httpd.conf
to Listen {Some port > 1024}
.
When I want to run the docker image I’ve build normally (i.e. on default port 80) I have the following port settings:
- deployment
spec.template.spec.containers[0].ports[0].containerPort
: 80
- service
spec.ports[0].targetPort
: 80spec.ports[0].port
: 8080
- ingress
spec.rules[0].http.paths[0].backend.servicePort
: 8080
Given these settings the service becomes accessible at the host url provided in the ingress manifest. Again, this is without the changes to httpd.conf
. When I make those changes (using Listen 8000
), and add in the securityContext
section to the deployment, I change the various manifests accordingly:
- deployment
spec.template.spec.containers[0].ports[0].containerPort
: 8000
- service
spec.ports[0].targetPort
: 8000spec.ports[0].port
: 8080
- ingress
spec.rules[0].http.paths[0].backend.servicePort
: 8080
Yet for some reason, when I try to access a URL that should be working I get a 502 Bad Gateway error. Have I set the ports correctly? Is there something else I need to do?
2
Answers
Check if pod is Running
Check if the URL is accessible within the pod
If the above didn’t work, check your httpd.conf.
Check with the service name
You can check ingress logs too.
You got it, that’s the hard requirement in order to make the apache container running as non-root, therefore this change needs to be done at container level, not to Kubernetes’ abstracts like Deployment’s Pod spec or Service/Ingress resource object definitions. So the only thing left in your case, is to build a custom httpd image, with listening port > 1024. The same approach applies to the NGINX Docker containers.
One key information for the ‘containerPort’ field in Pod spec, that you are trying to manually adjust, and which is not so apparent. It’s there primarily for informational purposes, and does not cause opening port on container level. According Kubernetes API reference:
I hope this will help you to move on