Network
Ports¶
Control Plane¶
| Port | Process |
|---|---|
6443/TCP |
kube-apiserver |
2379-2380/TCP |
etcd |
10250/TCP |
kubelet |
10257/TCP |
kube-controller-manager |
10259/TCP |
kube-scheduler |
Worker Nodes¶
| Port | Process |
|---|---|
10250/TCP |
kubelet |
30000-32767/TCP |
NodePort Services |
Network Communications¶
Network Policies¶
- Issue
-
- By default, Kubernetes does not restrict traffic between pods running inside the cluster
- Any pod can connect to any other pod as there are no firewalls controlling the intra-cluster traffic
- Applications can potentially communicate with outside clients (north-south traffic) as well as with other applications running within the cluster (east-west traffic)
- Network Policies
-
- By default, all kinds of ingress (incoming) and egress (outgoing) traffic are allowed, but you can control how pods are allowed to communicate by using network policies
- Allow to configure how groups of pods are allowed to communicate with each other and other network endpoints
- They create firewalls between pods running on a Kubernetes cluster
- You cannot enforce policies for outgoing (egress) traffic from pods using this feature
- If a pod is not matched by any network policies, all traffic is allowed to and from that pod
Controls
| Component | Description |
|---|---|
| Enable Network Policies | ✅ Choose a network add-on that allows to leverage Network Policies (e.g., Calico or Canal)
|
| Restrict Metadata API | ❌ AWS/Azure/GCP pass configuration to nodes through a Metadata API
|
Firewall Ports¶
- Kubernetes processes like kubelet are opening a few ports on all network interfaces, which should be firewalled from public access
- Those ports may "only" allow to query for sensitive information, but some of them allow straight full access to the cluster