Kubernetes node firewall

2/2/2022

The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.

This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:

iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP

This is what I tried with the Calico and it is not working:

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: k8s-worker
    environment: production
spec:
  interfaceName: eth1
  node: node1
  ports:
    - name: https
      port: 443
      protocol: TCP

Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?

-- Jonas
calico
kube-proxy
kubernetes

0 Answers