search

canonical / microk8s

MicroK8s is a small, fast, single-package Kubernetes for datacenters and the edge.
https://microk8s.io
Apache License 2.0
8.49k stars 773 forks source link

calico firewall rules #3815

Closed JPFrancoia closed 1 year ago

JPFrancoia commented 1 year ago

Hi, I deployed a microk8s cluster and it's working like a charm. I followed the tuto here: https://ubuntu.com/tutorials/install-a-local-kubernetes-with-microk8s#2-deploying-microk8s. I just have a simple question about the ufw rules. After installation, here is what I have (I removed everything that wasn't relevant):

❯ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----       
Anywhere on vxlan.calico   ALLOW IN    Anywhere                  
Anywhere on cali+          ALLOW IN    Anywhere                                    
Anywhere (v6) on vxlan.calico ALLOW IN    Anywhere (v6)             
Anywhere (v6) on cali+     ALLOW IN    Anywhere (v6)
443/tcp (WWW Secure)       ALLOW IN    Anywhere
443/tcp (WWW Secure (v6))  ALLOW IN    Anywhere (v6)                    

Anywhere                   ALLOW OUT   Anywhere on vxlan.calico  
Anywhere                   ALLOW OUT   Anywhere on cali+         
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on vxlan.calico
Anywhere (v6)              ALLOW OUT   Anywhere (v6) on cali+

I'm a bit afraid of the inbound rules, (ALLOW IN from Anywhere). To be honest, I don't understand them (I wasn't able to find out which ports they open) and it would be awesome if you could give an explanation about what they do.

If possible I'd like to only expose the https port to the whole internet, and I'm wondering if I can limit the calico rules to local networks?

berkayoz commented 1 year ago

Hey @JPFrancoia, Thanks for reaching out. The rules you see apply to the Calico vxlan only. The pods and services communicate through this virtual network and the traffic is tunneled through the actual network link. The virtual network is local and shared across the nodes of a Kubernetes cluster. These rules are set up here in MicroK8s. The usual configuration is to allow any host in/out since pods/services can use a wide variety of IP addresses. You can also take a look at the Calico requirements.

JPFrancoia commented 1 year ago

Hey, thanks for coming back to me! Ok so from what I understand, it only affects this virtual network. Can I safely assume that it doesn't expose the host (aka my computer) on a new port to the whole internet?

berkayoz commented 1 year ago

Yes, I'd say it's safe to assume that.

JPFrancoia commented 1 year ago

Awesome, thanks!