search

unicef / magasin

Cloud native open-source end-to-end data / AI / ML platform
https://unicef.github.io/magasin/
Apache License 2.0
5 stars 2 forks source link

mag-cli support for address in port forward #59

Open merlos opened 4 months ago

merlos commented 4 months ago

When magsh was introduced (PR #58), in order to support port forwarding in the Docker image to allow opening the UI in localhost, it was needed to set the --address 0.0.0.0 in the kubectl command of mag <component> ui. Adding --address 0.0.0.0 makes kubectl open the port in all interfaces. In the case of Docker, it can be done through

 [Kubernetes cluster service] <------> [docker-image (runs kubectl port-forward) docker-ip ]<----->[docker host: localhost]

Before this change kubectl only listened to localhost.

Opening the port in all interfaces is not an issue in the docker image, but running mag-cli in a computer, it will open the ports in all the interfaces, which may create a attack vector.

Potential solutions

1) Enable --address parameter in mag <component> ui and any command that forwards a port so that by default it opens localhost but there is an option for launching the ui kubectl listening to all ports.

2) In docker run test using ---network=host when launching magsh.

3) Enable a config setting for enforcing the default behaviour. That way it can be enforced through config to set the address to listen to by default.

4) Make the mag client savier. If it cannot listen to localhost (which happens in the image) try to listen to the (hostname -i) address.

References: