podman: [Bug]: Disable automatic publishing of all ports for kube play

Feature request description

Currently podman kube play automatically publishes all ports which are defined in Kubernetes YAMLs as containerPort.

Kubernetes YAML example:

apiVersion: v1
kind: Pod
metadata:
  name: all-ports-published-reproducer
spec:
  containers:
    - name: all-ports-published-reproducer-nginx
      image: "docker.io/bitnami/nginx:1.23"
      env:
        - name: NGINX_HTTP_PORT_NUMBER
          value: "8082"
      ports:
        - name: http
          containerPort: 8082

Podman command: podman kube play all-ports-published-reproducer.yaml

Output of podman port --latest: 8082/tcp -> 0.0.0.0:8082

Users should be able to disable this behavior to prevent accidentally publishing ports to the outside world.

Suggest potential solution

Similiarly to #16880 a new flag --publish-all like the one in podman run should be added to podman kube play.
This flag should accept a boolean parameter which is true by default to preserve the current behavior.

If --publish-all=false is set ports should not be automatically published and only be published if the Kubernetes YAML explicitly defines the hostPort field.

Kubernetes YAML example with explicit hostPort set.

apiVersion: v1
kind: Pod
metadata:
  name: all-ports-published-reproducer
spec:
  containers:
    - name: all-ports-published-reproducer-nginx
      image: "docker.io/bitnami/nginx:1.23"
      env:
        - name: NGINX_HTTP_PORT_NUMBER
          value: "8082"
      ports:
        - name: http
          containerPort: 8082
          hostPort: 80

Have you considered any alternatives?

Podman Quadlets would be an alternative but would prevent users from using already existing Kubernetes YAMLs / Helm charts.

Additional context

#16766 introduces a change to publish ports on a random port instead of reusing the containerPort field of the Kubernetes YAML if hostPort is not set.
If the new flag --publish-all is set to false and the hostPort field is explicitly set to 0 the port should be published on a random port.

Even if firewalld is active on the server netavark currently allows these automatically published ports to be reachable from the outside world, which might be a security concern.

About this issue

Original URL
State: closed
Created a year ago
Reactions: 1
Comments: 34 (14 by maintainers)

Commits related to this issue

#17028 Kube Play - Add flag to disable automatic publishing of all container ports — committed to Syquel/podman by Syquel a year ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Fixes #17028 — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Fixes #17028 Signed-off-by: Peter ... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago
Fix all ports exposed by kube play Container ports defined with containerPort were exposed by default even though kubernetes interprets them as mostly informative. Closes #17028 Signed-off-by: Peter... — committed to Backfighter/podman by Backfighter 10 months ago

Most upvoted comments

I agree change the behavior now.

rhatdan on May 12, 2023

OK, I am in favor of changing the behavior before 5.0. @containers/podman-maintainers please speak up if you disagree.

vrothberg on May 11, 2023

Well not binding a host port is exactly what podman did until #15946. I don’t understand why it was changed like this when it is neither how k8s behaves (not binding) nor how podman run would behave (binding a random port). I would even argue that #15946 was already a breaking change.

Adding a --publish-all sounds good to me. As for breaking backwards compatibly the next possibility would be 5.0.

Luap99 on May 11, 2023

@schewara, thanks for sharing. If you are using RHEL and desire a backport, please go through the Red Hat customer channels (e.g., Bugzilla).

vrothberg on May 22, 2023

I also just got bit by this issue after upgrading from EL 9.1 -> 9.2 with podman being upgraded from version 4.2 to 4.4, with the result, that all web containers refused to start with

rootlessport cannot expose privileged port 80

From my point of view that was already a breaking change which should be reverted sooner then later.

Also comparing it with the behavior of docker compose, where the ports also must be explicitly defined, users migrating from compose to podman will most likely also run into this issue.

In my testing setup here all pods are using a bridge network, where the pods should listen to and external access is only possible through an ingress pod communicating over the bridge network.

Running rootless without adjusting the net.ipv4.ip_unprivileged_port_start setting luckily saved me here, otherwise the services (ignoring the port conflicts), would have been automatically exposed to the wild with all security measures circumvented.

schewara on May 18, 2023

So the flag should be false by default, but the defalt behaviour of this flag can be changed in the containers.conf right?

Shikachuu on May 12, 2023