search

snowdrop / godaddy-webhook

Cert Manager Godaddy Webhook performing ACME challenge using DNS record
Apache License 2.0
72 stars 62 forks source link

Need more priviledge to open port 443 in godaddy-webhook pod #4

Closed llaforest closed 2 years ago

llaforest commented 2 years ago

Running in OCP 4.x, it seems that when the godaddy-webhook pod starts, it cannot bind to port 443 because it doesn't have the right to do it. To overcome this, I added the user godaddy-webhook in the anyuid scc but it would be prefereble not to do this: oc adm policy add-scc-to-user anyuid -z "godaddy-webhook"

Would there be a way to modify some clusterRole so the user could do that?

cmoulliard commented 2 years ago

Would there be a way to modify some clusterRole so the user could do that?

I'm not sure. As reported within this thread discussion, we cannot bind application in container to ports 80 and 443 (which are < 1024) as this is not allowed for non-root user. As Openshift uses Random UIDs, you need to change port in container to e.g 8080, 8443 or any other greater than 1024.

It is possible to create a new SCC with less privileges and use a role to link it the serviceAccount used by the pod - https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html#security-context-constraints-creating_configuring-internal-oauth Using this option should be perhaps enough allowHostPorts: true to bind port: 443

cmoulliard commented 2 years ago

That works --> 

kc get pods -n cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-55658cdf68-kh7pq             1/1     Running   0          6m54s
cert-manager-cainjector-967788869-zr2k9   1/1     Running   0          6m54s
cert-manager-webhook-6668fbb57d-b8tmv     1/1     Running   0          6m54s
godaddy-webhook-c67c985cc-2wxbq           1/1     Running   0          48s

kc describe -n cert-manager godaddy-webhook-c67c985cc-2wxbq
error: the server doesn't have a resource type "godaddy-webhook-c67c985cc-2wxbq"

kc describe -n cert-manager pod/godaddy-webhook-c67c985cc-2wxbq
Name:         godaddy-webhook-c67c985cc-2wxbq
Namespace:    cert-manager
Priority:     0
Node:         kind-control-plane/172.18.0.2
Start Time:   Mon, 24 Jan 2022 17:51:53 +0100
Labels:       app.kubernetes.io/instance=godaddy-webhook
              app.kubernetes.io/name=godaddy-webhook
              pod-template-hash=c67c985cc
Annotations:  <none>
Status:       Running
IP:           10.244.0.9
IPs:
  IP:           10.244.0.9
Controlled By:  ReplicaSet/godaddy-webhook-c67c985cc
Containers:
  godaddy-webhook:
    Container ID:  containerd://cfb4e7c2df51657d57c6450329efbf5d393e6029d2d7ad4f585dddeaa012c3b1
    Image:         quay.io/snowdrop/cert-manager-webhook-godaddy:latest
    Image ID:      quay.io/snowdrop/cert-manager-webhook-godaddy@sha256:877043db71c017a81f8d57628520cde572f349b5a0ab7d7f7d86d48892d5f9b9
    Port:          8443/TCP
    Host Port:     0/TCP
    Args:
      --tls-cert-file=/tls/tls.crt
      --tls-private-key-file=/tls/tls.key
      --secure-port=8443
llaforest commented 2 years ago

Thanks for the fix. Please not that when deploying on OpenShift with oc apply, the webhhok-all.yml must be edited to change the containerPort to 8443 and a new arg must specify the secure port. containerPort: 8443 --secure-port=8443