Add --publish-all flag for kube play

[Shikachuu]

Does this PR introduce a user-facing change?

Added `--publish-all` flag for CLI, which prevents container port publication without specifying a `hostPort` pair.

Added `publishAll` query parameter for API, which prevents container port publication without specifying a `hostPort` pair.

Closes #17028

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Shikachuu
Once this PR has been reviewed and has the lgtm label, please assign edsantiago for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

Please update man pages.

[vrothberg]

Thanks!

We also need to add a test or two.

[vrothberg]

For this to work remotely, we also need to touch pkg/bindings. Those are the go-bindings podman-remote uses. In case the client does not set the publish-all parameter, we should query contianers.conf here and use the configured defaults on the server side.

[Shikachuu]

Since it is mostly generated code I might need some guidance.

The PlayOptions in pkg/binding/kube/types.go needs to be modified right?

After that we need to check if the flag is checked in the PlayWithBody func in the pkg/binding/kube/kube.go if I'm not mistaken.

Where and how should I run the generate command?

Currently I'm not sure how and where should I query the containers.conf may I require some aditional information about where should we do that exactly?

[Shikachuu]

Thanks!

We also need to add a test or two.

Sure!
First I think we should get it to work using both the go bindings, the API and locally too.

After that I'll add test cases for each of the above mentioned use cases.

[joelpurra]

@Shikachuu: both the commit message and pull request description are outdated; could they be changed? In brief, they are not reflecting recent decisions in #17028 where the --publish-all flag usage was inverted to resolve a security issue.

My own summary:

• The new podman kube play flag --publish-all is used to explicitly publish containerPort(s) without a corresponding hostPort.
• Specifying hostPort is (again) required in order for podman kube play to by default publish a container port to the host. This reflects standard Kubernetes YAML behavior.
• This is a breaking change in podman kube play, reverting behavior in podman v4.3.0-v4.5.0 where containerPort(s) were automatically published without an explicit hostPort (pull request Default missing hostPort to containerPort is defined in kube.yaml #15946 from issue podman play kube only binds ports when hostPort is specified. #15942).
• Resolves the security issue of unexpectedly exposing container ports on the host network (issues [Bug]: Disable automatic publishing of all ports for kube play #17028 and podman play kube should NOT bind ports when hostPort is not specified. #18576).

The start (v4.3.0) of the version range is based on when #15946 was first included. The end (current release v4.5.0) of the version range depends on which release this pull request is first included.

Edit: referencing decisions in #17028 rather than #18576.

[github-actions]

A friendly reminder that this PR had no activity for 30 days.

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rhatdan]

@Shikachuu Still working on this?