Unless I am missing some obvious setting:
Restricted Kubernetes doesnt work like that. You have to run the container with a non-root UID (usually something upwards of a million). Non-root users however can’t reserve ports below 1025. Nextcloud builds on the default php-apache image which comes with the default apache ports.conf (Listen 80).
So now this has to be overwritten either by making a custom build (which may require creating a custom build pipeline) or by mounting a new config file (e.g. via ConfigMap) else it wont start. Both are an additional update risk which now has to be documented and checked before updating in addition to changes from the normal nextcloud changelog.
Similiar issues probably appear with rootless docker/podman unless you add extra capabilities, which is not possible in restricted kubernetes settings.
I know nothing about k8s, just started with a homelab using primarily docker in an Ubuntu LXC in proxmox and have been using the nextcloud image via docker compose on a different port by simply editing the compose to outwardly point to a different port, inside the docker container my understanding is it all still uses port 80, thereby causing no further issues with the application.
Welcome to the community then :) For rootful Docker you are correct - the inside port can be 80 and you can expose it on whatever port you want (ideally you expose it only via reverse proxy and not by port - I can recommend Caddy-Docker-Proxy for that)
Absolutely, it is not necessary if the proxy can reach the service in other ways (e.g. a shared network). Some non-http services don’t like to be proxied though. Some constellations where the proxy is not on the same host as the containers may also make it necessary. My answer was based on the possibility to not have the same inside/outside port, not necessarily the need though😉
Unless I am missing some obvious setting: Restricted Kubernetes doesnt work like that. You have to run the container with a non-root UID (usually something upwards of a million). Non-root users however can’t reserve ports below 1025. Nextcloud builds on the default php-apache image which comes with the default apache ports.conf (Listen 80).
So now this has to be overwritten either by making a custom build (which may require creating a custom build pipeline) or by mounting a new config file (e.g. via ConfigMap) else it wont start. Both are an additional update risk which now has to be documented and checked before updating in addition to changes from the normal nextcloud changelog.
Similiar issues probably appear with rootless docker/podman unless you add extra capabilities, which is not possible in restricted kubernetes settings.
I know nothing about k8s, just started with a homelab using primarily docker in an Ubuntu LXC in proxmox and have been using the nextcloud image via docker compose on a different port by simply editing the compose to outwardly point to a different port, inside the docker container my understanding is it all still uses port 80, thereby causing no further issues with the application.
Welcome to the community then :) For rootful Docker you are correct - the inside port can be 80 and you can expose it on whatever port you want (ideally you expose it only via reverse proxy and not by port - I can recommend Caddy-Docker-Proxy for that)
If you’re using a reverse-proxy, why bother mapping ports at all?
Absolutely, it is not necessary if the proxy can reach the service in other ways (e.g. a shared network). Some non-http services don’t like to be proxied though. Some constellations where the proxy is not on the same host as the containers may also make it necessary. My answer was based on the possibility to not have the same inside/outside port, not necessarily the need though😉
I use Traefik already, but thank you! :)
Also a great choice :)
Got me curious on rootless vs root docker, there’s so much.
Since rootless docker is (mostly) a security improvement, here is a interesting list of other Docker realted security tips I like to consult: https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html