'Kubernetes node firewall
The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.
This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:
iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP
This is what I tried with the Calico and it is not working:
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: node1-eth1
labels:
role: k8s-worker
environment: production
spec:
interfaceName: eth1
node: node1
ports:
- name: https
port: 443
protocol: TCP
Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|