K
Q

Kubernetes node firewall

2/2/2022

The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.

This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:

iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP

This is what I tried with the Calico and it is not working:

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: k8s-worker
    environment: production
spec:
  interfaceName: eth1
  node: node1
  ports:
    - name: https
      port: 443
      protocol: TCP

Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?

-- Jonas
calico
kube-proxy
kubernetes

Similar Questions

Kubectl: command not found on travis ci
Restart server running inside Kubernetes Node
Recurring "Can't connect to MySQL server .. Temporary failure in name resolution" in GKE cluster
Kube ingress with hostname (how to know IP to forward domain name?)
Gitlab Autodevops How to always keep one pod alive

0 Answers