The self-managed bare-metal Kubernetes worker node is using NodePort (there is a reason for using NodePort) for ingress traffic. I need to allow incoming connections only to NodePort port.
This is what I did and it is working but it is not ideal as Calico and kube-proxy are also using iptables:
iptables -I INPUT 1 -i eth1 -p tcp ! --dport 443 -j DROP
iptables -I INPUT 1 -i eth1 -p udp -j DROP
iptables -I INPUT 1 -i eth1 -p icmp -j DROP
This is what I tried with the Calico and it is not working:
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: node1-eth1
labels:
role: k8s-worker
environment: production
spec:
interfaceName: eth1
node: node1
ports:
- name: https
port: 443
protocol: TCP
Is it possible to achieve with the Calico or adding iptables rules is the only solution in this case?
This is my working configuration:
apiVersion: projectcalico.org/v3
kind: FelixConfiguration
metadata:
name: default
spec:
bpfLogLevel: ""
ipipEnabled: true
logSeverityScreen: Info
reportingInterval: 0s
FailsafeInboundHostPorts: []
---
apiVersion: projectcalico.org/v3
kind: HostEndpoint
metadata:
name: node1-eth1
labels:
role: worker-ext
spec:
interfaceName: eth1
node: node1
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: inbound-external
spec:
selector: role == 'worker-ext'
preDNAT: true
applyOnForward: true
order: 1
types:
- Ingress
ingress:
- action: Deny
protocol: TCP
destination:
ports: [22, 68]
- action: Allow
protocol: TCP
destination:
ports: [443]
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: allow-outbound-external
spec:
selector: role == 'worker-ext'
applyOnForward: true
types:
- Egress
egress:
- action: Allow