Closed shuaibiyy closed 3 years ago
anestos
commented
3 years ago Isn't it a good practice to still expose the Pod's port even if it is used only by the service?
I would leave the default curity.runtime.deployment.port to be empty and expose an extra port from the Pod if that is set. i.e
{{- if .Values.curity.runtime.deployment.port }}
- name: deployment-port
containerPort: {{ .Values.curity.runtime.deployment.port }}
protocol: TCP
{{- end }}
shuaibiyy
commented
3 years ago @anestos not sure I completely understand. With curity.runtime.deployment.port, the pod's http-port will still be exposed, and based on the curity docker image – it'd probably always be 8443. In the service spec, we then get to map the http-port to whatever port we want to expose on the service (e.g. port 80):
- port: {{ .Values.curity.runtime.service.port }}
targetPort: http-port # always refers to whatever the value of `curity.runtime.deployment.port` is
protocol: TCP
name: http-portSorry i missanderstood the change. Looks good then
shuaibiyy
commented
3 years ago @anestos @travisspencer can this be merged?
By introducing a
curity.runtime.deployment.portparameter, the deployment container's port can remain on the default port (i.e.8443) while allowing the runtime service (viacurity.runtime.service.port) to be on a different port.An example use case is one where kube dns is relied upon to reach kubernetes services by name only, i.e., being able to use
http://curity-idsvr-runtime-svcinstead ofhttp://curity-idsvr-runtime-svc:8443.