The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.
This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:
iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP
This is what I tried with the Calico and it is not working:
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: node1-eth1
labels:
role: k8s-worker
environment: production
spec:
interfaceName: eth1
node: node1
ports:
- name: https
port: 443
protocol: TCP
Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?