use ports 443, 80

cmd/all_in_one.go

@@ -79,7 +79,8 @@ func AllInOneCommand() (*cobra.Command, error) {
 		Command: cobra.Command{
 			Use:   "all-in-one",
 			Short: "run ingress controller together with pomerium in all-in-one mode",
-		}}
+		},
+	}
 	cmd.RunE = cmd.exec
 	if err := cmd.setupFlags(); err != nil {
 		return nil, err
@@ -113,8 +114,8 @@ func (s *allCmd) setupFlags() error {
 	flags.BoolVar(&s.debugEnvoy, debugEnvoy, false, "enable debug logging for envoy")
 	flags.StringVar(&s.metricsBindAddress, metricsBindAddress, "", "host:port for aggregate metrics. host is mandatory")
 	flags.StringVar(&s.adminBindAddr, debugAdminBindAddr, "", "host:port for admin server")
-	flags.StringVar(&s.serverAddr, "server-addr", ":8443", "the address the HTTPS server would bind to")
-	flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":8080", "the address HTTP redirect would bind to")
+	flags.StringVar(&s.serverAddr, "server-addr", ":443", "the address the HTTPS server would bind to")
+	flags.StringVar(&s.httpRedirectAddr, "http-redirect-addr", ":80", "the address HTTP redirect would bind to")
 	flags.StringVar(&s.deriveTLS, "databroker-auto-tls", "", "enable auto TLS and generate server certificate for the domain")
 	flags.DurationVar(&s.configControllerShutdownTimeout, configControllerShutdown, time.Second*30, "timeout waiting for graceful config controller shutdown")
 

config/pomerium/deployment/no-root.yaml

@@ -7,10 +7,16 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
+        sysctls:
+          - name: net.ipv4.ip_unprivileged_port_start
+            value: "80"
       containers:
         - name: pomerium
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
             runAsNonRoot: true
             runAsGroup: 65532
             runAsUser: 65532

config/pomerium/deployment/ports.yaml

@@ -8,14 +8,14 @@ spec:
       containers:
         - name: pomerium
           ports:
-            - containerPort: 8443
+            - containerPort: 443
               name: https
               protocol: TCP
-            - containerPort: 8443
+            - containerPort: 443
               name: quic
               protocol: UDP
             - name: http
-              containerPort: 8080
+              containerPort: 80
               protocol: TCP
             - name: metrics
               containerPort: 9090

deployment.yaml

@@ -770,13 +770,13 @@ spec:
         imagePullPolicy: Always
         name: pomerium
         ports:
-        - containerPort: 8443
+        - containerPort: 443
           name: https
           protocol: TCP
-        - containerPort: 8443
+        - containerPort: 443
           name: quic
           protocol: UDP
-        - containerPort: 8080
+        - containerPort: 80
           name: http
           protocol: TCP
         - containerPort: 9090
@@ -791,6 +791,9 @@ spec:
             memory: 200Mi
         securityContext:
           allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
           readOnlyRootFilesystem: true
           runAsGroup: 65532
           runAsNonRoot: true
@@ -802,6 +805,9 @@ spec:
         kubernetes.io/os: linux
       securityContext:
         runAsNonRoot: true
+        sysctls:
+        - name: net.ipv4.ip_unprivileged_port_start
+          value: "80"
       serviceAccountName: pomerium-controller
       terminationGracePeriodSeconds: 10
       volumes: