Kubernetes: How to force kube-proxy to listen on localhost only

Question

In my configuration, very basic one (Only calico network, no apps yet) I have nginx-ingress running as NodePort - binding on port 30080. This port should be accessible only from localhost, but k8s opened this port for everyone, and since it's binding on 0.0.0.0 it's wide open now.

So I want to force kube-proxy to bind this port to 127.0.0.1 only.

I've tried modifing configmap to nginx-ingress (bind-address) but no luck with that.

Since this port is attached to kube-proxy - i was looking for kube-proxy config, but no luck at all. I've found yaml config file in /var/lib/kube-proxy but modifing it didn't change this.

After restarting pods, they are still binded to 0.0.0.0

I've tried many ways from internet, but still no luck.

Cluster was initialised with: kubeadm init --pod-network-cidr=10.XXX.XXX.XXX/XX --apiserver-advertise-address=X.X.X.X

Answer 1

Not sure if this is what you have been looking for however this way, it will listen on 127.0.0.1:NodePort

You need to change kube-proxy configmap but not bindAddress: (it should be left as it was bindAddress: 0.0.0.0) and default value nodePortAddresses: null should be changed to nodePortAddresses: ["127.0.0.0/8"]. It must be ["127.0.0.0/8"] as if you will change just to 127.0.0.1/8 kube-proxy pod will crush.

Change nodePortAddresses: null to nodePortAddresses: ["127.0.0.0/8"] and save using :wq. As default edit will open in VI text editor.

$ kubectl edit cm kube-proxy -n kube-system
configmap/kube-proxy edited

If you would like use nano as text editor you must use KUBE_EDITOR="nano" kubectl edit cm kube-proxy -n kube-system.

As example i have used Nginx deployment from this docs. Only chage was add type: NodePort to service YAML.

Now you will need to apply this new configuration to kube-proxy. Easiest way is to delete kube-proxy pod as daemonset.apps/kube-proxy will create new one with new config.

Original output:

$ kubectl get svc
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        19m
my-nginx     NodePort    10.109.237.94   <none>        80:31672/TCP   24s
$ netstat -plnt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:31672           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      -                   
...                

Output with changed nodePortAddresses:

$ kubectl get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1      <none>        443/TCP        33m
my-nginx     NodePort    10.96.27.244   <none>        80:30679/TCP   2m40s
$ netstat -plnt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:30679         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      -                   
...