When magsh was introduced (PR #58), in order to support port forwarding in the Docker image to allow opening the UI in localhost, it was needed to set the --address 0.0.0.0 in the kubectl command of mag <component> ui.
Adding --address 0.0.0.0 makes kubectl open the port in all interfaces. In the case of Docker, it can be done through
Before this change kubectl only listened to localhost.
Opening the port in all interfaces is not an issue in the docker image, but running mag-cli in a computer, it will open the ports in all the interfaces, which may create a attack vector.
Potential solutions
1) Enable --address parameter in mag <component> ui and any command that forwards a port so that by default it opens localhost but there is an option for launching the ui kubectl listening to all ports.
2) In docker run test using ---network=host when launching magsh.
3) Enable a config setting for enforcing the default behaviour. That way it can be enforced through config to set the address to listen to by default.
4) Make the mag client savier. If it cannot listen to localhost (which happens in the image) try to listen to the (hostname -i) address.
When
magsh
was introduced (PR #58), in order to support port forwarding in the Docker image to allow opening the UI in localhost, it was needed to set the--address 0.0.0.0
in thekubectl
command ofmag <component> ui
. Adding--address 0.0.0.0
makeskubectl
open the port in all interfaces. In the case of Docker, it can be done throughBefore this change kubectl only listened to localhost.
Opening the port in all interfaces is not an issue in the docker image, but running mag-cli in a computer, it will open the ports in all the interfaces, which may create a attack vector.
Potential solutions
1) Enable
--address
parameter inmag <component> ui
and any command that forwards a port so that by default it opens localhost but there is an option for launching the uikubectl
listening to all ports.2) In docker run test using ---network=host when launching
magsh
.3) Enable a config setting for enforcing the default behaviour. That way it can be enforced through config to set the address to listen to by default.
4) Make the
mag
client savier. If it cannot listen to localhost (which happens in the image) try to listen to the (hostname -i) address.References: