I'm running k3s v0.3.0 on a small Ubuntu 18.04 VPS that is directly exposed to the internet, with no way to use cloud firewalls or the like.
It makes for a really neat dev environment, but I've noticed that port 6443 is reachable on the public interface, which I get is useful for reaching the cluster from the outside, but I'd still prefer to expose just 22 for SSH and have everything else listen on localhost, to be forwarded as necessary.
Filtering everything but ssh on the public interface with ufw causes all sorts of things within the cluster to break, apparently the kubernetes API isn't reachable from within the cluster anymore, so that doesn't seem to be an option.
Is there any way to configure k3s to bind to 127.0.0.1 exclusively? Preferably using the curl-sh-combo from https://k3s.io?
flxs
All 5 comments
Please see;
https://github.com/rancher/k3s#open-ports--network-security
Port 6443 must be open on the server. And you must anyway firewall the VXLAN port, so an extra rule for external access to 6443 should not be too hard IMHO.
uablrek
on 4 Apr 2019
Please see;
https://github.com/rancher/k3s#open-ports--network-securityPort 6443 must be open on the server. And you _must_ anyway firewall the VXLAN port, so an extra rule for external access to 6443 should not be too hard IMHO.
I thinks @flxs just want to open the port on the special ip (such as 127.0.0.1, localhost), and not for 0.0.0.0 (all the ip adresses on the server).
The duplicate issue: https://github.com/rancher/k3s/issues/214
warmchang
on 4 Apr 2019
Yes, that's exactly what I want, I definitely wouldn't want to expose this sort of thing to the whole internet. I've filtered the port for now (turns out I botched the ufw config previously). Thanks for pointing out the existing issue for this!
flxs
on 4 Apr 2019
@flxs That issue (#214) has been resolved and is ready to test with our latest RC (v0.4.0-rc1). Can you give it a try and let me know?
deniseschannon
on 11 Apr 2019
I'm facing the same issue as @flxs, I need to bind all k3s ports to 127.0.0.1.
I tried k3s v1.18.8 on Ubuntu Server 20.04.1 LTS with the following command line:
$ k3s server --disable=metrics-server --kube-controller-manager-arg=bind-address=127.0.0.1 --kube-apiserver-arg=bind-address=127.0.0.1 --kube-scheduler-arg=bind-address=127.0.0.1 --tls-san=127.0.0.1 --bind-address=127.0.0.1
The ports 6443, 6444 and 10010 are then bound to 127.0.0.1.
However, ports 10251 and 10252 are still publicly available, and I can fetch metrics from http://127.0.0.1:10251/metrics without authentication.
Am I missing something obvious here? Is there a built-in way how the services on these ports can be secured without interfering with iptables or ufw settings?
thomasheller
on 24 Sep 2020
Related issues
ubergeek801
路
3Comments
giezi
路
3Comments
theonewolf
路
3Comments
Moep90
路
3Comments
ewoutp
路
4Comments
Most helpful comment
I'm facing the same issue as @flxs, I need to bind all k3s ports to
127.0.0.1.I tried k3s v1.18.8 on Ubuntu Server 20.04.1 LTS with the following command line:
The ports
6443,6444and10010are then bound to127.0.0.1.However, ports
10251and10252are still publicly available, and I can fetch metrics from http://127.0.0.1:10251/metrics without authentication.Am I missing something obvious here? Is there a built-in way how the services on these ports can be secured without interfering with iptables or ufw settings?