search

rancher / rancher

Complete container management platform
http://rancher.com
Apache License 2.0
23.41k stars 2.97k forks source link

Incorrect Cattle Public Endpoint Annotation #16215

Open ghost opened 6 years ago

ghost commented 6 years ago

Rancher versions: rancher/rancher: v2.1.0

Steps to Reproduce:

  1. Deploy rancher v2.1.0
  2. Edit Restricted Pod Security Policy
Host Network: Yes: The use of host networking
Allowed Capabilities: NET_BIND_SERVICE
Host Ports Policy: range 8080 - 8080, 8443 - 8443
  1. Deploy custom cluster using restricted Pod Security Policy from above
  2. Edit yaml for cluster > system > nginx-ingress-controller
containers:
   - args:
      - /nginx-ingress-controller
      - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
      - --configmap=$(POD_NAMESPACE)/nginx-configuration
      - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
      - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
      - --annotations-prefix=nginx.ingress.kubernetes.io
      - --http-port=8080
      - --https-port=8443
ports:
  - containerPort: 8080
     hostPort: 8080
     name: http
     protocol: TCP
  - containerPort: 8443
     hostPort: 8443
     name: https
     protocol: TCP
  1. Redeploy nginx-ingress-controller
  2. Deploy workload and add ingress rule (.xip.io)

Results: The ingress rule that is created uses port 80 for public endpoints. The ingress rule will not work since the ingress controller is listening on port 8080 and 8443.

field.cattle.io/publicEndpoints: '[{"addresses":["142.93.81.218"],"port":80,"protocol":"HTTP","serviceName":"default:ingress-ea406cef0c86616c5c91a0cbb764c577","ingressName":"default:webapp-ingress","hostname":"webapp-ingress.default.142.93.81.218.xip.io","allNodes":true}]'
ghost commented 6 years ago

Refer to https://github.com/rancher/rancher/issues/16119