podman play kube should NOT bind ports when hostPort is not specified.

[trchen1033]

Issue Description

Expected behavior: podman play kube should only bind container port to the pod port when only containerPort was specified, but the pod port shouldn't bind to the host port.
Actual behavior: podman play kube binds container port to the host even if hostPort were not specified in the pod spec.

The reason being that there are orchestrations that only exposes an internal service to another internal service, for example, an application server that only talks to a nginx reverse proxy. This has security implication because the reverse proxy may implement authentication of the service.

The behavior is also documented at https://kubernetes.io/docs/concepts/configuration/overview/

Don't specify a hostPort for a Pod unless it is absolutely necessary. When you bind a Pod to a hostPort, it limits the number of places the Pod can be scheduled, because each <hostIP, hostPort, protocol> combination must be unique. If you don't specify the hostIP and protocol explicitly, Kubernetes will use 0.0.0.0 as the default hostIP and TCP as the default protocol.

This was correctly implemented in earlier version of podman, but was changed at request of an erroneous bug report:
Erroneous previous bug report: #15942
Merge request that changed the behavior: #15946

Steps to reproduce the issue

Steps to reproduce the issue

1. podman play kube this YAML spec:

apiVersion: v1
kind: Pod
metadata:
  name: test_pod
spec:
  containers:
  - name: test
    image: docker.io/nginx
    ports:
    - containerPort: 443

Describe the results you received

podman ps shows 0.0.0.0:443->443/tcp when it's not supposed to.

Describe the results you expected

podman ps should show no exposed ports.

podman info output

host:
  arch: amd64
  buildahVersion: 1.30.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  - rdma
  - misc
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon_100:2.1.7-1_amd64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.7, commit: f633919178f6c8ee4fb41b848a056ec33f8d707d'
  cpuUtilization:
    idlePercent: 86.03
    systemPercent: 12.59
    userPercent: 1.38
  cpus: 4
  databaseBackend: boltdb
  distribution:
    codename: bullseye
    distribution: debian
    version: "11"
  eventLogger: file
  hostname: pve
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 5.15.107-2-pve
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 12075544576
  memTotal: 16725176320
  networkBackend: cni
  ociRuntime:
    name: crun
    package: crun_100:1.8.4-1_amd64
    path: /usr/bin/crun
    version: |-
      crun version 1.8.4
      commit: 5a8fa99a5e41facba2eda4af12fa26313918805b
      rundir: /run/user/0/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  security:
    apparmorEnabled: true
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 0h 39m 37.00s
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - quay.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 6
    paused: 0
    running: 6
    stopped: 0
  graphDriverName: zfs
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 4932486168576
  graphRootUsed: 33947648
  graphStatus:
    Compression: "on"
    Parent Dataset: rpool/podman/storage
    Parent Quota: "no"
    Space Available: "4932452248904"
    Space Used By Parent: "1024538592"
    Zpool: rpool
    Zpool Health: ONLINE
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 8
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 4.5.0
  Built: 0
  BuiltTime: Wed Dec 31 19:00:00 1969
  GitCommit: ""
  GoVersion: go1.20.4
  Os: linux
  OsArch: linux/amd64
  Version: 4.5.0

Podman in a container

No

Privileged Or Rootless

None

Upstream Latest Release

Yes

Additional environment details

No response

Additional information

No response

[trchen1033]

Ugh, never mind. Just saw another report mentioning the same thing.
#17028