Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail to helm install keda http-add-on when override interceptor.proxy.port=80 #750

Closed
yaakov-berkovitch opened this issue Aug 1, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@yaakov-berkovitch
Copy link

Report

The versions I used are:

  • keda-2.11.2
  • keda-add-ons-http-0.5.2
  • helm chart 0.5.0
    I install the keda http-add-on with the following command:
    helm upgrade --install http-add-on kedacore/keda-add-ons-http --namespace k8s-plugins --set interceptor.replicas.waitTimeout=60s --set interceptor.proxy.port=80
    As a result the keda-http-add-on failed to run - in the keda-add-ons-http-interceptor POD log I see:
    {"level":"error","ts":1690903443.3099988,"caller":"interceptor/main.go:162","msg":"error with interceptor","error":"listen tcp 0.0.0.0:80: bind: permission denied","stacktrace":"main.main\n\tgithub.com/kedacore/http-add-on/interceptor/main.go:162\nruntime.main\n\truntime/proc.go:250"}

Expected Behavior

Overriding port to 80 instead of the default 8080 should work

Actual Behavior

keda-http-add-on proxy failed to run with the following error in the POD log:
{"level":"error","ts":1690903443.3099988,"caller":"interceptor/main.go:162","msg":"error with interceptor","error":"listen tcp 0.0.0.0:80: bind: permission denied","stacktrace":"main.main\n\tgithub.com/kedacore/http-add-on/interceptor/main.go:162\nruntime.main\n\truntime/proc.go:250"}

Steps to Reproduce the Problem

1.helm upgrade --install http-add-on kedacore/keda-add-ons-http --namespace --set interceptor.proxy.port=80

Logs from KEDA HTTP operator

{"level":"error","ts":1690903749.2665758,"caller":"interceptor/main.go:162","msg":"error with interceptor","error":"listen tcp 0.0.0.0:80: bind: permission denied","stacktrace":"main.main\n\tgithub.com/kedacore/http-add-on/interceptor/main.go:162\nruntime.main\n\truntime/proc.go:250"}

HTTP Add-on Version

0.5.0

Kubernetes Version

1.24

Platform

Amazon Web Services

Anything else?

No response

@t0rr3sp3dr0
Copy link
Contributor

Unprivileged processes may or may not be able to bind to ports lower than 1024, depending on your cluster configuration and setup. Generally, it's enough to add NET_BIND_SERVICE to the list of capabilities of the Pod. You can try patching the Deployment of the Interceptor to add that capability and see if that works for you. If it doesn't work, you probably need to contact the cluster's admins to check what is needed for your Pod to bind to port 80.

@yaakov-berkovitch
Copy link
Author

@t0rr3sp3dr0 I tried your suggestion but it is falling with the same error - Below the POD describe with the addition of the security capability:

apiVersion: v1
kind: Pod
metadata:
  name: keda-add-ons-http-interceptor-5f66997665-qh6pd
  generateName: keda-add-ons-http-interceptor-5f66997665-
  namespace: k8s-plugins
  labels:
    app: keda-add-ons-http
    app.kubernetes.io/component: interceptor
    app.kubernetes.io/instance: http-add-on
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keda-add-ons-http-interceptor
    app.kubernetes.io/part-of: keda-add-ons-http
    app.kubernetes.io/version: 0.5.0
    control-plane: interceptor
    httpscaledobjects.http.keda.sh/version: 0.5.0
    keda.sh/addon: keda-add-ons-http
    name: keda-add-ons-http-interceptor
spec:
  volumes:
    - name: kube-api-access-pwtn4
      projected:
        sources:
          - serviceAccountToken:
              expirationSeconds: 3607
              path: token
          - configMap:
              name: kube-root-ca.crt
              items:
                - key: ca.crt
                  path: ca.crt
          - downwardAPI:
              items:
                - path: namespace
                  fieldRef:
                    apiVersion: v1
                    fieldPath: metadata.namespace
        defaultMode: 420
  containers:
    - name: keda-add-ons-http-interceptor
      image: ghcr.io/kedacore/http-add-on-interceptor:0.5.0
      ports:
        - name: inter-admin
          containerPort: 9090
          protocol: TCP
        - name: inter-proxy
          containerPort: 80
          protocol: TCP
      env:
        - name: KEDA_HTTP_CURRENT_NAMESPACE
          value: k8s-plugins
        - name: KEDA_HTTP_PROXY_PORT
          value: '80'
        - name: KEDA_HTTP_ADMIN_PORT
          value: '9090'
        - name: KEDA_HTTP_CONNECT_TIMEOUT
          value: 500ms
        - name: KEDA_HTTP_KEEP_ALIVE
          value: 1s
        - name: KEDA_RESPONSE_HEADER_TIMEOUT
          value: 500ms
        - name: KEDA_CONDITION_WAIT_TIMEOUT
          value: 60s
        - name: KEDA_HTTP_DEPLOYMENT_CACHE_POLLING_INTERVAL_MS
          value: '250'
        - name: KEDA_HTTP_FORCE_HTTP2
          value: 'false'
        - name: KEDA_HTTP_MAX_IDLE_CONNS
          value: '100'
        - name: KEDA_HTTP_IDLE_CONN_TIMEOUT
          value: 90s
        - name: KEDA_HTTP_TLS_HANDSHAKE_TIMEOUT
          value: 10s
        - name: KEDA_HTTP_EXPECT_CONTINUE_TIMEOUT
          value: 1s
      resources:
        limits:
          cpu: 500m
          memory: 64Mi
        requests:
          cpu: 250m
          memory: 20Mi
      volumeMounts:
        - name: kube-api-access-pwtn4
          readOnly: true
          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      imagePullPolicy: Always
      securityContext:
        capabilities:
          add:
            - NET_BIND_SERVICE
          drop:
            - all
  restartPolicy: Always
  terminationGracePeriodSeconds: 10
  dnsPolicy: ClusterFirst
  serviceAccountName: keda-add-ons-http-interceptor
  serviceAccount: keda-add-ons-http-interceptor
  nodeName: ip-10-35-120-149.ec2.internal
  securityContext: {}
  schedulerName: default-scheduler
  tolerations:
    - key: node.kubernetes.io/not-ready
      operator: Exists
      effect: NoExecute
      tolerationSeconds: 300
    - key: node.kubernetes.io/unreachable
      operator: Exists
      effect: NoExecute
      tolerationSeconds: 300
  priority: 0
  enableServiceLinks: true
  preemptionPolicy: PreemptLowerPriority

@matthewhembree
Copy link

I'm not sure why you'd want to use port 80 with non-root UIDs...

Containerd and Kubernetes 1.24 changed how that worked. I think Docker could use NET_BIND_SERVICE due to a "misconfiguration". I'm not clear on the specifics.

You might try using the sysctl way:

      securityContext:
        sysctls:
        - name: net.ipv4.ip_unprivileged_port_start
          value: "80"

@JorTurFer
Copy link
Member

JorTurFer commented Oct 7, 2023

Hello,
I close this as no planned because KEDA tries to be secure, and using well-known ports usually requires high privileges. Our images run with non-root user, and this is something we don't plan to change.
If any configuration can be done at helm chart for allowing this, I'd suggest opening an issue there asking for it, but IMHO, we shouldn't allow it at code level changing docker images

@JorTurFer JorTurFer closed this as not planned Won't fix, can't repro, duplicate, stale Oct 7, 2023
@github-project-automation github-project-automation bot moved this from To Triage to Done in Roadmap - KEDA HTTP Add-On Oct 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: Done
Development

No branches or pull requests

4 participants