1

In my openshift cluster, I noticed that all my pods have a port that's open without me specifying it. Its the pott 443 which is apperantly used for the k8s api as mentiond in this post.

Even after reading, i still don't understand something.

I understand that the service exists and forwards to all pods. But for the pods to receive and send requests using this service. The port must be open in the containers. But somehow even without specifying a port on my pods container. That default 443 port is open. Which allows me to do something like this:

  1. Create service with target port set to 443
  2. Setup pod with no container port open.
  3. Successfully use service to communicate with container.

Is this safe?, What opens the container port without me specifying it? Is there a way to prevent this from happening?

Daniel Karapishchenko
  • 333
  • 1
  • 8
  • I am also newbee. As per my understanding. When you start a pod it has its separate virtual network space which has all ports open. Using NetworkPolicy resource you can add the constraint of on which ports pod will send/receive traffice. For more security you can make use of SecurityContext resource which defines what access application running in conatiner have. – SauriBabu Apr 10 '21 at 08:49
  • @SauriBabu thanks for the info, but that still doesn't explain why my container port is open, unless i'm missing somethings – Daniel Karapishchenko Apr 10 '21 at 08:51
  • as I said when pod is started it has a totally separate network space, which has all ports available. unless you block ports using NetworkPolicy they are open to access. – SauriBabu Apr 10 '21 at 08:57

1 Answers1

3

I noticed that all my pods have a port that's open without me specifying it.

Yes, the contanerPort: is just metadata, the container might listen to other ports as well.

Is this safe?, What opens the container port without me specifying it? Is there a way to prevent this from happening?

Yes, this is what Kubernetes Network Policies are for.

Jonas
  • 121,568
  • 97
  • 310
  • 388
  • So what exactly is the use of `containerPort:` then? does it add a `networkPolicy:` behind the scenes? or does it just add a open a port to the pod on top of the selected `networkPolicy:`? – Daniel Karapishchenko Apr 10 '21 at 09:00
  • No, it doesn't do anything. That is similar to `EXPOSE ` in a Dockerfile, https://nickjanetakis.com/blog/docker-tip-59-difference-between-exposing-and-publishing-ports I agree, this is a bit disappointing. – Jonas Apr 10 '21 at 09:03