After installing RKE2 `rke2 version v1 25 9+rke2r1 842d05e64bcbf78552f1db0b32700b8faea403a0 ` there are unnecessary open ports exposed outside of the node specifically these `983002 kube apiserv` on `0 0 0 0 6443` `1000 systemd resolv` on `0 0 0 0 5355` `982742 kubelet` on `0 0 0 0 10250` `985099 calico node` on `0 0 0 0 9091` After disabling IPV6 they are still listening on 0 0 0 0 Can t seem to find a configuration option to lock down these services to the internal network only Any ideas

After installing RKE2 `rke2 version v1 25 9+rke2r1 842d05e64 rancher-users #general

Title

# general

incalculable-air-54033

05/22/2023, 11:14 AM

After installing RKE2 (

rke2 version v1.25.9+rke2r1 (842d05e64bcbf78552f1db0b32700b8faea403a0)

there are unnecessary open ports exposed outside of the node, specifically these:

983002/kube-apiserv

0.0.0.0:6443

1000/systemd-resolv

0.0.0.0:5355

982742/kubelet

0.0.0.0:10250

985099/calico-node

0.0.0.0:9091

After disabling IPV6, they are still listening on 0.0.0.0. Can't seem to find a configuration option to lock down these services to the internal network only. Any ideas?

great-jewelry-76121

05/22/2023, 12:49 PM

Perhaps use calico's host-protection features to block those from outside your cluster? https://docs.tigera.io/calico/latest/network-policy/hosts/kubernetes-nodes

creamy-pencil-82913

05/22/2023, 5:51 PM

kube-apiserver needs to be exposed for obvious reasons. the kubelet needs to be exposed so that metrics-server can scrape metrics. I’m not sure what the calico-node listener exposes. systemd-resolved is well… part of systemd and I’m not sure why you’d report it here.

great-jewelry-76121

05/23/2023, 9:07 AM

I’m not sure what the calico-node listener exposes

Port 9091 is metrics. https://docs.tigera.io/calico/latest/operations/monitor/monitor-component-metrics#creating-a-service-to-expose-felix-metrics

3 Views