-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NodePort is always open when using HostEndpoint #8109
Comments
I'm obliged to link this issue explaining Calico API versions: #6412
Sorry - it's not obvious to me from the issue, but where are you running this curl command from - is it from one of your Kubernetes nodes or somewhere else? |
"somewhere else". On any hosts outside of k8s cluster |
I changed the API in the manifests at projectcalico.org/v3. Did not help. https://github.com/BigKAA/youtube/blob/hep/net/05-NetworkPolicy-calico/np/np-10.yaml Access to the NodePort service remains open. |
Very strange. When requesting a control node of the cluster, the node port is not closed. And on the worker node of the cluster it is closed. |
@BigKAA have you checked the failsafe ports? |
@mazdakn Yes, I checked. Separately, I made my own list of ports to check. apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
bpfLogLevel: ''
floatingIPs: Disabled
healthPort: 9099
logSeverityScreen: Info
reportingInterval: 0s
failsafeInboundHostPorts:
- "tcp:22"
- "udp:68"
- "tcp:179"
- "tcp:2379"
- "tcp:2380"
- "tcp:6443"
- "tcp:6666"
- "tcp:6667" In this video I show the problem. Sorry, the video is in Russian. https://youtu.be/5g2cnLvgjq8?si=bZvpnPW8qkG47cmg&t=2283 |
@BigKAA have you made any progress? Did you check how the policies are rendered in iptables/ipvs rules? Did you try to apply policies step by step? Have you tried to deny everything from outside with a simpler policy? In what CIDR is your client? |
@tomastigera I stopped using Calico policies to restrict external connections. Switched to classic iptables |
I'm trying to close the k8s cluster using Calico network policies.
As an example I use https://docs.tigera.io/calico/latest/network-policy/hosts/protect-hosts-tutorial
Expected Behavior
As I understand from the example, NodePort should be unavailable by default. And they should be opened using network policies.
Current Behavior
But, for some reason, all ports reserved for NodePort are open by default. I also cannot close them using policies.
Possible Solution
Steps to Reproduce (for bugs)
curl http://192.168.218.171:31110
Context
I tried to explicitly describe the protected ports in the FailsafeInboundHostPorts parameter in FelixConfiguration. Not including ports reserved for NodePort. Did not help.
Your Environment
The text was updated successfully, but these errors were encountered: