https://rancher.com/ logo
Title
i

incalculable-air-54033

05/22/2023, 11:14 AM
After installing RKE2 (
rke2 version v1.25.9+rke2r1 (842d05e64bcbf78552f1db0b32700b8faea403a0)
there are unnecessary open ports exposed outside of the node, specifically these:
983002/kube-apiserv
on
0.0.0.0:6443
1000/systemd-resolv
on
0.0.0.0:5355
982742/kubelet
on
0.0.0.0:10250
985099/calico-node
on
0.0.0.0:9091
After disabling IPV6, they are still listening on 0.0.0.0. Can't seem to find a configuration option to lock down these services to the internal network only. Any ideas?
g

great-jewelry-76121

05/22/2023, 12:49 PM
Perhaps use calico's host-protection features to block those from outside your cluster? https://docs.tigera.io/calico/latest/network-policy/hosts/kubernetes-nodes
c

creamy-pencil-82913

05/22/2023, 5:51 PM
kube-apiserver needs to be exposed for obvious reasons. the kubelet needs to be exposed so that metrics-server can scrape metrics. I’m not sure what the calico-node listener exposes. systemd-resolved is well… part of systemd and I’m not sure why you’d report it here.
g

great-jewelry-76121

05/23/2023, 9:07 AM