From 869eafb7e3f67a03e09f92bb6fdb9c14779dd037 Mon Sep 17 00:00:00 2001
From: Jose Cortes <josecortes@datawire.io>
Date: Fri, 17 Sep 2021 13:16:01 -0400
Subject: [PATCH] Add docs for numeric ports.

Signed-off-by: Jose Cortes <josecortes@datawire.io>
---
 reference/cluster-config.md | 56 +++++++++++++++++++++++++++++++++----
 releaseNotes.yml            |  9 ++++--
 2 files changed, 57 insertions(+), 8 deletions(-)

diff --git a/reference/cluster-config.md b/reference/cluster-config.md
index 1277c8bd83..613ca69133 100644
--- a/reference/cluster-config.md
+++ b/reference/cluster-config.md
@@ -201,11 +201,6 @@ To solve this issue, you can use Telepresence's Mutating Webhook alternative mec
 workloads will then stay untouched and only the underlying pods will be modified to inject the Traffic
 Agent sidecar container and update the port definitions.
 
-<Alert severity="info">
-A current limitation of the Mutating Webhook mechanism is that the <code>targetPort</code> of your intercepted
-Service needs to point to the <strong>name</strong> of a port on your container, not the port number itself.
-</Alert>
-
 Simply add the `telepresence.getambassador.io/inject-traffic-agent: enabled` annotation to your
 workload template's annotations:
 
@@ -221,6 +216,7 @@ workload template's annotations:
        containers:
 ```
 
+
 ### Service Port Annotation
 
 A service port annotation can be added to the workload to make the Mutating Webhook select a specific port
@@ -238,3 +234,53 @@ in the service. This is necessary when the service has multiple ports.
      spec:
        containers:
 ```
+
+### Note on numeric ports
+
+If the <code>targetPort</code> of your intercepted Service is pointing at a port number, in addition to
+injecting the Traffic Agent sidecar, Telepresence will also inject an <code>initContainer</code> that will
+reconfigure the pod's firewall rules to redirect traffic to the Traffic Agent.
+
+<Alert severity="info">
+Note that this <code>initContainer</code> requires `NET_ADMIN` capabilities.
+If your cluster administrator has disabled them, you will be unable to use numeric ports with the agent injector.
+</Alert>
+
+For example, the following service is using a numeric port, and so Telepresence would inject an initContainer into it:
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: your-service
+spec:
+  type: ClusterIP
+  selector:
+    service: your-service
+  ports:
+    - port: 80
+      targetPort: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: your-service
+  labels:
+    service: your-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      service: your-service
+  template:
+    metadata:
+      annotations:
+        telepresence.getambassador.io/inject-traffic-agent: enabled
+      labels:
+        service: your-service
+    spec:
+      containers:
+        - name: your-container
+          image: jmalloc/echo-server
+          ports:
+            - containerPort: 8080
+```
diff --git a/releaseNotes.yml b/releaseNotes.yml
index ba5867282d..e2768196a8 100644
--- a/releaseNotes.yml
+++ b/releaseNotes.yml
@@ -30,11 +30,14 @@ docDescription: >-
 changelog: https://github.com/telepresenceio/telepresence/blob/$branch$/CHANGELOG.md
 
 items:
-
   - version: 2.4.4
     date: 'TBD'
-    notes: []
-
+    notes:
+      - type: feature
+        title: Numeric ports in agent injector
+        body: >-
+          The agent injector now supports injecting Traffic Agents into pods that have unnamed ports.
+        docs: reference/cluster-config/#note-on-numeric-ports
   - version: 2.4.3
     date: '2021-09-15'
     notes: