1

I have a kubernetes cluster with calico. I want to prevent routing through external interfaces to reach the internal clusterIPs of the cluster. I am planning to use this.

For which interfaces should the hostendpoint be defined? Is it only the interface on which the Kubernetes was advertised or for all the external interfaces in the cluster?

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
Parvathy Mohan
  • 89
  • 11

2 Answers2

2

You should define a HostEndpoint for every network interface that you want to block/filter traffic on, and for every node in your cluster as well, since a given HostEndpoint of this type only protects a single interface on a single node.

Also, since defining a HostEndpoint in Calico will immediately block ALL network traffic to that node and network interface (except for a few "failsafe" ports by default), make sure to have your network policies in place BEFORE you define your HostEndpoints, so the traffic you want to allow will be allowed. You will want to consider if you need to allow traffic to/from the kubelet on each node, to/from your DNS servers, etc.

A common pattern is to use HostEndpoints for public network interfaces since those are the most exposed, and not for you private network interface since ideally those are used for pod to pod and node to node traffic that your Kubernetes cluster needs in order to function properly.

Brad Behle
  • 36
  • 3
0

The example from the article you mentioned has it: spec.interfaceName: eth0. Have you tried it so far?

For each host point that you want to secure with policy, you must create a HostEndpoint object. To do that, you need the name of the Calico node on the host that owns the interface; in most cases, it is the same as the hostname of the host.

In the following example, we create a HostEndpoint for the host named my-host with the interface named eth0, with IP 10.0.0.1. Note that the value for node: must match the hostname used on the Calico node object.

When the HostEndpoint is created, traffic to or from the interface is dropped unless policy is in place.

apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
  name: my-host-eth0
  labels:
    role: k8s-worker
    environment: production
spec:
  interfaceName: eth0
  node: my-host
  expectedIPs: ["10.0.0.1"]
Bazhikov
  • 765
  • 3
  • 11
  • My interface name is not eth0. In my setup, I have multiple external interfaces. Some are used for kubernetes/calico and some are used for configuring virtual ips etc. So, should I define hostendpoint for each external interface or just the one which is used in Kubernetes/calico? – Parvathy Mohan Mar 15 '22 at 00:30