trident icon indicating copy to clipboard operation
trident copied to clipboard
verified publisher icon NetApp

Bind the healthz port for trident-node to localhost

Open Cellebyte opened this issue 4 months ago • 3 comments

Describe the solution you'd like

Adapt the current DaemonSets and Deployments with hostNetwork: true, to support configuring binding to the node-ip or localhost. This would require to add a new environment variable to the DaemonSet or Deployment or to configure [::1] localhost for it.

using node-ip

  containers:
  - # ...
    # name:
    args:
    - "--https_address=[::1]" # localhost bind
    - "--https_address=$(KUBERNETES_HOST_IP)" # node-ip bind
    - "--https_port={PROBE_PORT}"
    ports:
    - containerPort: {PROBE_PORT}
      name: healthz
      protocol: TCP
    env:
    - name: KUBERNETES_HOST_IP
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: status.hostIP
    startupProbe:
      httpGet:
        host: localhost
        path: /liveness
        scheme: HTTPS
        port: {PROBE_PORT}
      failureThreshold: 5
      timeoutSeconds: 5
      periodSeconds: 10
    livenessProbe:
      httpGet:
        host: localhost
        path: /liveness
        scheme: HTTPS
        port: {PROBE_PORT}
      failureThreshold: 5
      timeoutSeconds: 5
      periodSeconds: 10
    readinessProbe:
      httpGet:
        host: localhost
        path: /readiness
        scheme: HTTPS
        port: {PROBE_PORT}
      failureThreshold: 5
      timeoutSeconds: 5
      periodSeconds: 10
      initialDelaySeconds: 15

Describe alternatives you've considered

  1. Install a mutating Webhook which manipulates the DaemonSet during apply.
  2. Hardcode https_address to bind to localhost or [::1] or 127.0.0.1 if it is only needed for kubelet health and readinessProbe and startupProbe it does not need to be exposed to external systems.

Additional context

This ensures that the probe endpoint is not accidentally exposed into other networks. It should be configurable. As long as it stays as it is all additional configured IPs on the node could accept traffic for the probe endpoint.

Cellebyte avatar Jul 31 '25 14:07 Cellebyte

Hi @Cellebyte, for this level of customization we recommend using tridentctl install --generate-custom-yaml and tridentctl install --use-custom-yaml to input your custom options for either the deployment or daemonset.

torirevilla avatar Aug 20 '25 16:08 torirevilla

@torirevilla we install trident using GitOps and not via the cli and it would be great to either expose this setting using the installer or set it always to localhost.

Cellebyte avatar Aug 26 '25 14:08 Cellebyte

Hi, @Cellebyte. Understood you are using GitOps, but how did you create your starting YAML? Even if not installing Trident with tridentctl, you can still use tridentctl install --generate-custom-yaml to seed your GitOps workflow, allowing you to modify the YAML however you need.

clintonk avatar Sep 02 '25 20:09 clintonk