Expose etcd port unexpected

[mingyuanzhu]

How to use it?

• [ ] kwok
• [X] kwokctl --runtime=docker (default runtime)
• [ ] kwokctl --runtime=binary
• [ ] kwokctl --runtime=nerdctl
• [ ] kwokctl --runtime=kind

What happened?

I run the KUBECONFIG=~/.kube/kube-sampleserver2 KWOK_KUBE_VERSION=v1.18.15 kwokctl create cluster --name=test-sampleserver2 --kube-apiserver-port=6443 --kube-authorization --config=~/Downloads/kwok-test.yaml -v -4 to create a cluster. And I set the etcdPort is 0 which should not export the port to local.

What did you expect to happen?

If set the ectdPort == 0 which should not expose the etcd port to local.

How can we reproduce it (as minimally and precisely as possible)?

kind: KwokctlConfiguration
apiVersion: config.kwok.x-k8s.io/v1alpha1
options:
  etcdPort: 0
  etcdPeerPort: 0

KUBECONFIG=~/.kube/kube-sampleserver2 KWOK_KUBE_VERSION=v1.18.15 kwokctl create cluster --name=test-sampleserver2 --kube-apiserver-port=6443 --kube-authorization --config=~/Downloads/kwok-test.yaml -v -4

Anything else we need to know?

No response

Kwok version

```console $ kwok --version kwok version v0.5.1 go1.21.7 (darwin/arm64) $ kwokctl --version kwokctl version v0.5.1 go1.21.7 (darwin/arm64) ```

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here # On Darwin: $ uname -a # paste output here # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

[wzshiming]

This behavior is expected, this port is reserved for kwokctl hack and allows it to modify etcd data.

Maybe in the future I'll see if I can do this without exposing the port.

[mingyuanzhu]

This behavior is expected, this port is reserved for kwokctl hack and allows it to modify etcd data.

Maybe in the future I'll see if I can do this without exposing the port.

Hello @wzshiming , when I use the v0.4.0 the etcd will not map the 2379 port to the local network port. But after I upgrade to v0.5.1 the etcd 2379 port will map to local network port. And the etcd have not support the secure mode. So there maybe some security issues. Do you have any suggestions?

[wzshiming]

This kwokctl is only used as a tool for development and testing, so why would it be a security issue, what are you using it for?

[mingyuanzhu]

This kwokctl is only used as a tool for development and testing, so why would it be a security issue, what are you using it for?

We use the kwokctl to mock the env and run some e2e tests.

[wzshiming]

Although, I think it's not a big deal to expose one more port in testing. However, when #1036 is implemented, this etcd port will not be exposed when not specified.

I will implement it when I have time.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[wzshiming]

/remove-lifecycle rotten