Using Google Container Engine (GKE) with Container Optimized Images the external interfaces (ephemeral IPs) seem to be listening on ports 110, 143, 993, 995, etc. as demonstrated via a port scan with nmap:

Nmap scan report for 236.185.xxx.xx.bc.googleusercontent.com (xx.xx.185.236)
Host is up (0.0025s latency).
Not shown: 65529 filtered ports
22/tcp   open   ssh
110/tcp  open   pop3
143/tcp  open   imap
993/tcp  open   imaps
995/tcp  open   pop3s
3389/tcp closed ms-wbt-server

I can connect via telnet but ports provide no response:

$telnet 35.192.xxx.xxx 993
Trying 35.192.xxx.xxx...
Connected to xxx.xxx.192.35.bc.googleusercontent.com.
Escape character is '^]'.
Connection closed by foreign host.

Finally, if you ssh to a node instance, there's no evidence of anything listening on ports 110, 143, 993, or 995.

Hoping to shed a light on this mystery!

  • Is this a brand new cluster? I tried on my cluster and the only open port was 22 – Patrick W Jun 14 '18 at 20:11
  • Yes! It happens for me on a brand new cluster. For example, config I used to create cluster: https://user-images.githubusercontent.com/30455/41474393-1541a3b4-7079-11e8-814f-1a3db3205d85.png . After creation: https://user-images.githubusercontent.com/30455/41474477-52944730-7079-11e8-89cd-c5a5a1253bb6.png . Finally scan against external ip of the single node: https://user-images.githubusercontent.com/30455/41474484-55432564-7079-11e8-92fc-7bea2a681c97.png – mbrevoort Jun 15 '18 at 14:52

I ran an nmap scan on a VM instance with an IP address of one of my nodes and I got the following results:

Starting Nmap 7.40 ( https://nmap.org ) at 2018-06-14 19:44 UTC
Nmap scan report for 70.133.xxx.xxx.bc.googleusercontent.com (
Host is up (0.0018s latency).
Not shown: 998 filtered ports
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds

However, when I ran a nmap scan using an online tool, I got the following:

Starting Nmap 7.01 ( https://nmap.org ) at 2018-06-14 19:46 UTC
Nmap scan report for 70.133.xxx.xxx.bc.googleusercontent.com (
Host is up (0.030s latency).
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
80/tcp   closed   http
110/tcp  filtered pop3
143/tcp  filtered imap
443/tcp  closed   https
3389/tcp filtered ms-wbt-server

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.98 seconds

I checked my Firewall rules to make sure that none of the ports other than 80 and 443 are allowed, and they were the only ones open.

To confirm that the ports such as ftp, pop3, and imap are not open, I ran a telnet and I got the following results:

telnet 993
telnet: Unable to connect to remote host: Connection timed out

The ports you mentioned should not be open. As I have ran nmap on different nodes from different cluster, I am not experiencing the same behavior. This issue seems to be specific to your Project. I would recommend creating a private issue on our public issue tracker. You can create it here.

