unnecessary port exposure after installing

[ChrisHolman]

After installing RKE2 (rke2 version v1.25.9+rke2r1 (842d05e) there are unnecessary open ports exposed outside of the node, specifically these:

983002/kube-apiserv on 0.0.0.0:6443
1000/systemd-resolv on 0.0.0.0:5355
982742/kubelet on 0.0.0.0:10250
985099/calico-node on 0.0.0.0:9091

After disabling IPV6, they are still listening on 0.0.0.0. Can't seem to find a configuration option to lock down these services to the internal network only.

Any ideas?

[brandond]

As discussed on Slack:

• kube-apiserver needs to be exposed for obvious reasons.
• kubelet needs to be exposed so that metrics-server can scrape metrics and so that apiservers can connect for kubectl logs and kubectl exec.
• calico-node runs with host net because it is the CNI and needs to start before the cluster network is up, and I believe it also serves metrics
• systemd-resolved is (as the name suggests) part of systemd and I’m not sure why you’d report it here.

[ChrisHolman]

We're running RKE2 as a single node cluster, API server and kublet are in the same VM - so in this scenario, we don't need these services exposed globally.

For example, within K8s,(https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/#options) we can specify (within config file) --address string x.x.x.x, which sets the IP address for the service to serve on.

Does RKE2 allow us to override the configuration for each individual service, or are we stuck with it being exposed?

[brandond]

You can pass args to the individual components via kube-apiserver-arg, kubelet-arg, and so on. I'm not sure if the calico chart allow you to pass through args directly or not, but if so you'd need to configure that via an rke2-calico HelmChartConfig.