Replies: 5 comments 10 replies
-
|
We don't technically support k3s with firewalld enabled. Kubernetes makes extensive use of iptables rules and does not expect other products to be managing rulesets alongside it. https://docs.k3s.io/installation/requirements?os=rhel#operating-systems |
Beta Was this translation helpful? Give feedback.
-
|
*How do I add my restrictions to k3s then?*
…On Mon, Mar 3, 2025 at 2:31 PM Brad Davidson ***@***.***> wrote:
We don't technically support k3s with firewalld enabled. Kubernetes makes
extensive use of iptables rules and does not expect other products to be
managing rulesets alongside it.
https://docs.k3s.io/installation/requirements?os=rhel#operating-systems
—
Reply to this email directly, view it on GitHub
<#11871 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/BNXPWPAA5AKVBHEBNTZBFCL2SSUZFAVCNFSM6AAAAABYHX4JPWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJVGM2TGMZWGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
[image: brandond]*brandond* left a comment (k3s-io/k3s#11871)
<#11871 (comment)>
We don't technically support k3s with firewalld enabled. Kubernetes makes
extensive use of iptables rules and does not expect other products to be
managing rulesets alongside it.
https://docs.k3s.io/installation/requirements?os=rhel#operating-systems
—
Reply to this email directly, view it on GitHub
<#11871 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/BNXPWPAA5AKVBHEBNTZBFCL2SSUZFAVCNFSM6AAAAABYHX4JPWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMOJVGM2TGMZWGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
I don't know what you're deploying that's using 8443 and 8080, we don't ship anything that uses or exposes those ports by default. Can you provide any specific information on your environment and what you're deploying that's using these ports? |
Beta Was this translation helpful? Give feedback.
-
|
We change the default ports from 80/443 to 8080/8443 |
Beta Was this translation helpful? Give feedback.
-
|
The default ports for what? traefik? If you don't want traefik exposed to the world, you can disable it, or set |
Beta Was this translation helpful? Give feedback.
-
|
I work with @markbroda. Kubenetes opens the ingress ports to all. I would like to specify a rule or rules that restrict all traffic to a list of trusted networks and ips, and I'd prefer to do this in one place that prevents any other service from overriding that list. We make heavy use of salt and jinja. Ideally, our trust dictionary could be used to create/maintain a yaml config file in /var/lib/rancher/k3s/server/manifests. Is there no way to do this? |
Beta Was this translation helpful? Give feedback.
-
|
I don't want it to work that way, and I am definitely not alone in needing that. I'd be surprised if the k8s world really relies on mechanisms external to its own host to block port access; that just sounds very wrong as a policy or strategy. In any case, it seems that this is not an issue that can be addressed in the k3s domain. |
Beta Was this translation helpful? Give feedback.
-
|
If not in the k3s domain. Where shall we take this Brandon? Please advise. |
Beta Was this translation helpful? Give feedback.
-
|
For the traefik loadbalancer service in particular, see the response above about loadBalancerSourceRanges. This doesn't really address how to secure your nodes in a larger sense though. |
Beta Was this translation helpful? Give feedback.
-
|
I would probably read through the upstream docs, and https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-network-access in particular. I'm not sure I would recommend deploying any production system exposed directly to the internet or other untrusted networks, relying on only the local host-based firewall to protect you. That has not been a good idea for a long, long time. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the references. I appreciate those. Trust me, I have been at this for many, many years. I am well aware of the various 'sets' of security 'best practices' that exist, how to combine them, and which ones make sense for which situations. But thanks for the warning just the same. 🙂 |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
We have firewalld configured (via salt, of course) to open all ports only to trusted networks (a mix of public IPs and private nets). A few ports like 80 and 443 are open to all IPs.
When k3s starts, traefik inserts a ton of KUBE* rules that are processed first which causes 8443 and 8080 to be open to all IPs. We don't want that.
It's imperative.
We can't run for much longer without a fix for this.
I really want to be able to use salt to pull in the same 'allowed nets' info.
I can template a config file in any format that is needed, but I am pretty much insisting on a config file vs a set of commands.
Describe the solution you'd like
We want our salt config for firewalld to be the dominant config and not get over written.
Describe alternatives you've considered
https://discourse.nixos.org/t/installing-k3s-disables-firewall-port-range-unexpectedly/46396/3
We are asking all kinds of channels with no one able to supply a fix or correct way to have this done.
Additional context
Beta Was this translation helpful? Give feedback.
All reactions