Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose etcd port unexpected #1035

Open
1 of 5 tasks
mingyuanzhu opened this issue Apr 16, 2024 · 5 comments
Open
1 of 5 tasks

Expose etcd port unexpected #1035

mingyuanzhu opened this issue Apr 16, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@mingyuanzhu
Copy link

How to use it?

  • kwok
  • kwokctl --runtime=docker (default runtime)
  • kwokctl --runtime=binary
  • kwokctl --runtime=nerdctl
  • kwokctl --runtime=kind

What happened?

I run the KUBECONFIG=~/.kube/kube-sampleserver2 KWOK_KUBE_VERSION=v1.18.15 kwokctl create cluster --name=test-sampleserver2 --kube-apiserver-port=6443 --kube-authorization --config=~/Downloads/kwok-test.yaml -v -4 to create a cluster. And I set the etcdPort is 0 which should not export the port to local.
image

What did you expect to happen?

If set the ectdPort == 0 which should not expose the etcd port to local.
image

How can we reproduce it (as minimally and precisely as possible)?

kind: KwokctlConfiguration
apiVersion: config.kwok.x-k8s.io/v1alpha1
options:
  etcdPort: 0
  etcdPeerPort: 0

KUBECONFIG=/.kube/kube-sampleserver2 KWOK_KUBE_VERSION=v1.18.15 kwokctl create cluster --name=test-sampleserver2 --kube-apiserver-port=6443 --kube-authorization --config=/Downloads/kwok-test.yaml -v -4

Anything else we need to know?

No response

Kwok version

$ kwok --version
kwok version v0.5.1 go1.21.7 (darwin/arm64)

$ kwokctl --version
kwokctl version v0.5.1 go1.21.7 (darwin/arm64)

OS version

```console # On Linux: $ cat /etc/os-release # paste output here $ uname -a # paste output here

On Darwin:

$ uname -a

paste output here

On Windows:

C:> wmic os get Caption, Version, BuildNumber, OSArchitecture

paste output here

</details>
@mingyuanzhu mingyuanzhu added the kind/bug Categorizes issue or PR as related to a bug. label Apr 16, 2024
@wzshiming
Copy link
Member

wzshiming commented Apr 16, 2024
edited

This behavior is expected, this port is reserved for kwokctl hack and allows it to modify etcd data.

Maybe in the future I'll see if I can do this without exposing the port.

@mingyuanzhu
Copy link
Author

This behavior is expected, this port is reserved for kwokctl hack and allows it to modify etcd data.

Maybe in the future I'll see if I can do this without exposing the port.

Hello @wzshiming , when I use the v0.4.0 the etcd will not map the 2379 port to the local network port. But after I upgrade to v0.5.1 the etcd 2379 port will map to local network port. And the etcd have not support the secure mode. So there maybe some security issues. Do you have any suggestions?

@wzshiming
Copy link
Member

This kwokctl is only used as a tool for development and testing, so why would it be a security issue, what are you using it for?

@mingyuanzhu
Copy link
Author

mingyuanzhu commented Apr 17, 2024
edited

This kwokctl is only used as a tool for development and testing, so why would it be a security issue, what are you using it for?

We use the kwokctl to mock the env and run some e2e tests.

@wzshiming
Copy link
Member

Although, I think it's not a big deal to expose one more port in testing.
However, when #1036 is implemented, this etcd port will not be exposed when not specified.

I will implement it when I have time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mingyuanzhu @wzshiming