2

The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.

This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:

iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP

This is what I tried with the Calico and it is not working:

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: k8s-worker
    environment: production
spec:
  interfaceName: eth1
  node: node1
  ports:
    - name: https
      port: 443
      protocol: TCP

Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?

Jonas
  • 4,683
  • 4
  • 45
  • 81
  • 1
    You need to provide more info, such as what exactly distribution and version of k8s you are using, what is your container runtime ( is it docker or cri-o, or something else?) Because in case of docker, docker-generated iptables rules will bypass nearly anything that you have configured in iptables directly – Andrew Feb 02 '22 at 15:00
  • Ubuntu, Kubernetes 1.22.3 and kube-proxy on ipvs, containerd. I tested iptables rules and it is working but as I guessed it can probably stop working due to other components. – Jonas Feb 02 '22 at 15:21
  • Containerd ~= docker in your case, i believe https://docs.docker.com/network/iptables/ explains nicely which rules are respected by docker – Andrew Feb 02 '22 at 15:47
  • what has to do calico or kube-proxy with ingress traffic? – suren Feb 02 '22 at 16:48
  • I found this article which describes this issue. I asked the author if he has any updates on the last update https://medium.com/swlh/manage-iptables-firewall-for-docker-kubernetes-daa5870aca4d – Jonas Feb 03 '22 at 08:32
  • @suren calico and kube-proxy are also using iptables and custom rules can be moved to the bottom where it will not work. @Andrew solution didn't work out because I couldn't find `DOCKER-USER` chain. Kubernetes must be organizing iptables in it's own way. – Jonas Feb 03 '22 at 08:39
  • How exactly did you set up Calico policy here? Have you checked this article? https://projectcalico.docs.tigera.io/security/kubernetes-node-ports – anarxz Feb 03 '22 at 13:55
  • @Jonas that's internal traffic. ingress is external to cluster. once in the cluster, that's when calico and kube-proxy kick in. – suren Feb 03 '22 at 15:20

1 Answers1

0

This is my working configuration:

apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
  name: default
spec:
  bpfLogLevel: ""
  ipipEnabled: true
  logSeverityScreen: Info
  reportingInterval: 0s
  FailsafeInboundHostPorts: []

---

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: node1-eth1
  labels:
    role: worker-ext
spec:
  interfaceName: eth1
  node: node1

---

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: inbound-external
spec:
  selector: role == 'worker-ext'
  preDNAT: true
  applyOnForward: true
  order: 1
  types:
    - Ingress

  ingress:
    - action: Deny
      protocol: TCP
      destination:
        ports: [22, 68]

    - action: Allow
      protocol: TCP
      destination:
        ports: [443]

---

apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
  name: allow-outbound-external
spec:
  selector: role == 'worker-ext'
  applyOnForward: true
  types:
    - Egress
  egress:
    - action: Allow
Jonas
  • 4,683
  • 4
  • 45
  • 81