In my openshift cluster, I noticed that all my pods have a port that's open without me specifying it. Its the pott 443 which is apperantly used for the k8s api as mentiond in this post.
Even after reading, i still don't understand something.
I understand that the service exists and forwards to all pods. But for the pods to receive and send requests using this service. The port must be open in the containers. But somehow even without specifying a port on my pods container. That default 443 port is open. Which allows me to do something like this:
- Create service with target port set to 443
- Setup pod with no container port open.
- Successfully use service to communicate with container.
Is this safe?, What opens the container port without me specifying it? Is there a way to prevent this from happening?
Yes, the
contanerPort:is just metadata, the container might listen to other ports as well.Yes, this is what Kubernetes Network Policies are for.