This message was deleted.

Perhaps use calico's host-protection features to block those from outside your cluster? https://docs.tigera.io/calico/latest/network-policy/hosts/kubernetes-nodes

kube-apiserver needs to be exposed for obvious reasons. the kubelet needs to be exposed so that metrics-server can scrape metrics. I’m not sure what the calico-node listener exposes. systemd-resolved is well… part of systemd and I’m not sure why you’d report it here.

I’m not sure what the calico-node listener exposes

Port 9091 is metrics. https://docs.tigera.io/calico/latest/operations/monitor/monitor-component-metrics#creating-a-service-to-expose-felix-metrics