incalculable-air-54033
05/22/2023, 11:14 AMrke2 version v1.25.9+rke2r1 (842d05e64bcbf78552f1db0b32700b8faea403a0)
there are unnecessary open ports exposed outside of the node, specifically these:
983002/kube-apiserv
on 0.0.0.0:6443
1000/systemd-resolv
on 0.0.0.0:5355
982742/kubelet
on 0.0.0.0:10250
985099/calico-node
on 0.0.0.0:9091
After disabling IPV6, they are still listening on 0.0.0.0. Can't seem to find a configuration option to lock down these services to the internal network only.
Any ideas?great-jewelry-76121
05/22/2023, 12:49 PMcreamy-pencil-82913
05/22/2023, 5:51 PMgreat-jewelry-76121
05/23/2023, 9:07 AMI’m not sure what the calico-node listener exposesPort 9091 is metrics. https://docs.tigera.io/calico/latest/operations/monitor/monitor-component-metrics#creating-a-service-to-expose-felix-metrics