From a833437293052e95087d3d12fe966c57414b8349 Mon Sep 17 00:00:00 2001
From: Aviram Hassan <aviram@metalbear.co>
Date: Mon, 5 Aug 2024 12:54:48 +0300
Subject: [PATCH] 3000 -> 443 operator port (#2631)

* 3000 -> 443 operator port

* .

* ..

* areally

* ..

* r
---
 changelog.d/+operator-port.changed.md |  1 +
 mirrord/operator/src/setup.rs         | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 changelog.d/+operator-port.changed.md

diff --git a/changelog.d/+operator-port.changed.md b/changelog.d/+operator-port.changed.md
new file mode 100644
index 00000000000..c68375cea59
--- /dev/null
+++ b/changelog.d/+operator-port.changed.md
@@ -0,0 +1 @@
+Change operator port from 3000 to 443 to work without any FW exceptions
\ No newline at end of file
diff --git a/mirrord/operator/src/setup.rs b/mirrord/operator/src/setup.rs
index 27ada24a593..0fc49a8343e 100644
--- a/mirrord/operator/src/setup.rs
+++ b/mirrord/operator/src/setup.rs
@@ -4,9 +4,10 @@ use k8s_openapi::{
     api::{
         apps::v1::{Deployment, DeploymentSpec},
         core::v1::{
-            Container, ContainerPort, EnvVar, HTTPGetAction, Namespace, PodSpec, PodTemplateSpec,
-            Probe, ResourceRequirements, Secret, SecretVolumeSource, SecurityContext, Service,
-            ServiceAccount, ServicePort, ServiceSpec, Volume, VolumeMount,
+            Container, ContainerPort, EnvVar, HTTPGetAction, Namespace, PodSecurityContext,
+            PodSpec, PodTemplateSpec, Probe, ResourceRequirements, Secret, SecretVolumeSource,
+            SecurityContext, Service, ServiceAccount, ServicePort, ServiceSpec, Sysctl, Volume,
+            VolumeMount,
         },
         rbac::v1::{
             ClusterRole, ClusterRoleBinding, PolicyRule, Role, RoleBinding, RoleRef, Subject,
@@ -28,7 +29,9 @@ use thiserror::Error;
 use crate::crd::{MirrordPolicy, TargetCrd};
 
 static OPERATOR_NAME: &str = "mirrord-operator";
-static OPERATOR_PORT: i32 = 3000;
+/// 443 is standard port for APIService, do not change this value
+/// (will require users to add FW rules)
+static OPERATOR_PORT: i32 = 443;
 static OPERATOR_ROLE_NAME: &str = "mirrord-operator";
 static OPERATOR_ROLE_BINDING_NAME: &str = "mirrord-operator";
 static OPERATOR_CLIENT_CA_ROLE_NAME: &str = "mirrord-operator-apiserver-authentication";
@@ -329,6 +332,13 @@ impl OperatorDeployment {
         };
 
         let pod_spec = PodSpec {
+            security_context: Some(PodSecurityContext {
+                sysctls: Some(vec![Sysctl {
+                    name: "net.ipv4.ip_unprivileged_port_start".to_owned(),
+                    value: "443".to_owned(),
+                }]),
+                ..Default::default()
+            }),
             containers: vec![container],
             service_account_name: Some(sa.name().to_owned()),
             volumes: Some(volumes),