This message was deleted.

If I recall correctly, flannel sets items in the routing table for different IP ranges, so I'm not sure you can restrict the IP range it listens on. Though that's a guess, so it might be possible?

Thanks for the input. I hope there is a way, since it's a security concern to me. For a little bit of context: The link shows 10.0.0.1 (not 0.0.0.0) and the interface

abc

ip -d link show flannel.1

5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1370 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 
    vxlan id 1 local 10.0.0.1 dev abc srcport 0 0 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

But flannel listens to 0.0.0.0

netstat -tulpn

udp 0  0 0.0.0.0:8472   0.0.0.0:*    -

Maybe I'm missing something

Look at the output of

route -n

and you'll notice a route to each kubernetes node with the flannel interface. Why it shows up as all in netstat, I'm not sure.

Since this is (currently) a single node cluster, there is no route to any other Kuberentes node. But this is very strange:

netstat -tulpn

isn't showing me the PID and the state, so there is no state

LISTEN

on

8472

, but

netstat

lists it. I run wireguard on the machine, and the wireguard port is listed the same way (no state, no PID) and is open. This is why I'm concerned

If you aren't getting a PID why do you conclude it's flannel?

Because it is the port listed on the RKE2 page as Flannel VXLAN and the link

flannel.1

shows me

8472

Tearing down the RKE2 cluster results in the port getting closed.

Great, thanks 🙂 I was unsure whether this is caused by RKE2 config or flannel itself. Thanks for the help @rough-farmer-49135 and @creamy-pencil-82913