Nodeports open from 0.0.0.0/0 by default, causing unexpected behaviour together with Floating IPs

[huxcrux]

/kind bug

What steps did you take and what happened: Nodeports are by default open from 0.0.0.0/0. This has historically not been a problem since nodes previously had an internal IP and was nat:ed over the Openstack router.

However when using Floating IPs this causes nodeports to be exposed from internet. This could lead to some unexpected behaviour. And sadly most end-users does not configure network policies properly meaning some services by mistake are accessible from the internet.

Since nodeport rules are added by default and there is no way of opting out this behaviour cannot be changed by the cluster admin.

Rules are added here: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/blob/main/pkg/cloud/services/networking/securitygroups.go#L203 And defined here: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/blob/main/pkg/cloud/services/networking/securitygroups_rules.go#L144C1-L165C1

I asked in slack if anyone was aware of any reason for nodeports to be open from 0.0.0.0/0 and got a reply saying it was due to conformance tests.

I think the best case of action would be to only allow nodeports from cluster subnet(s).

What did you expect to happen: Nodeports to not be open from internet without explicitly configuring it.

Anything else you would like to add: We may also want to change how rules for the API alongside AdditionalPorts exposed over the API Loadbalancer. However I would say nodeports are more "critical" since I see no reason in having Floating IPs on control-plane node at this time.

I'm currently running a conformance test with the following "change" applied to se if it passes: https://github.com/kubernetes-sigs/cluster-api-provider-openstack/commit/1685c65c303dbcf4bae2959705793c3133bd97fd

Environment:

• Cluster API Provider OpenStack version (Or git rev-parse HEAD if manually built): 0.10.3
• Cluster-API version: 1.7.3
• OpenStack version:
• Minikube/KIND version:
• Kubernetes version (use kubectl version):
• OS (e.g. from /etc/os-release):

[mdbooth]

@EmilienM I'm thinking that the default rules for NodePorts should probably restrict incoming traffic to workers and control plane. Anybody who wants to explicitly expose NodePorts externally with a FIP could add another rule to do that. What do you think?

[EmilienM]

@EmilienM I'm thinking that the default rules for NodePorts should probably restrict incoming traffic to workers and control plane. Anybody who wants to explicitly expose NodePorts externally with a FIP could add another rule to do that. What do you think?

works for me. @huxcrux are you going to submit a PR? We'll need doc as well.

[huxcrux]

@EmilienM I'm thinking that the default rules for NodePorts should probably restrict incoming traffic to workers and control plane. Anybody who wants to explicitly expose NodePorts externally with a FIP could add another rule to do that. What do you think?

works for me. @huxcrux are you going to submit a PR? We'll need doc as well.

Sure thing, just need to make sure the change passes conformance tests

[huxcrux]

Looks like conformance passed. Starting to work on a PR :)

Plugin: e2e
Status: passed
Total: 7411
Passed: 392
Failed: 0
Skipped: 7019

Plugin: systemd-logs
Status: passed
Total: 6
Passed: 6
Failed: 0
Skipped: 0

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale