K
Q

Is it ok that Flanneld is listening on public interface udp port 8472?

1/12/2019

Security-wise, is it OK, that flanneld is listening on the public interface udp port 8472?

Normally kubernetes nodes live in the cloud, hidden behind dozens of firewalls, they mostly operate in their local virtual network and only expose ports to the public, if administrator approves them manually.

But here I have a bare-metal server which is directly connected to the internet and I'm not sure if I should add firewall rules to block connections from the outside (default fw policy is ACCEPT).

For instance, I've configured etcd3 to listen for client connections on 127.0.0.1, furthermore clients must authenticate themselves with tls certificates. However flannel doesn't seem to have any authentication/authorization mechanism.

I understand that flanneld operates in the Transport Layer. Therefore it has information from the previous. So would it try drop any connection from the IPs, which are not in etcd?

For now my final intent is to create a single-node kubernetes “cluster”.

-- NarūnasK
etcd
etcd3
flannel
flanneld
kubernetes

Similar Questions

Kubernetes communication between pods using REST
Accessing service using istio ingress gives 503 error when mTLS is enabled
How to fix etcd cluster "error "tls: first record does not look like a TLS handshake""
Fastest way to communicate between a kubernetes pod and his host?
How do i change Kubernetes DiskPressure status from true to false?
How do I run my docker image from .gitlab-ci.yml after building the image?
Helm - How to write a file in a Volume using ConfigMap?
Kubernetes service IP confusion

0 Answers