Is creating firewall rule for nodeport a security concen?

Question

This question is regarding firewall rule on GCP.

I run my development and production server on the same cluster and separating them by namespace only. For development, I expose a nodeport (e.g. 8000) and create a GCP firewall rule to access the development server.

Is this dangerous? Since the firewall rule would allow access all pods at port 8000 on the cluster.

Can you expose different ports for development and production, instead? — Michael Hampton, Oct 06 '18 at 12:36
Limit port access to specific CIDR block addresses. You can create one rule for your home public IP, another for the office public IP, etc. This will prevent public access to your nodeport. — John Hanley, Oct 07 '18 at 18:10

score 0 · Answer 1 · answered Oct 11 '18 at 15:40

Firewall is only limited to your nodes only and the range is as follows 30000–32767. As @John Hanley mentioned limit port access to specific CIDR block addresses. So using port 30000 as an example opens a specific port on all the Nodes (the VMs), and any traffic that is sent to this port is forwarded to a service, which only serves a subset of pods, not all pods.

Is creating firewall rule for nodeport a security concen?

1 Answers1