talos

mirror of https://github.com/siderolabs/talos.git synced 2025-08-08 15:47:04 +02:00

History

Andrey Smirnov a3f88d2ef5 fix: block NodePort services with ingress firewall The previous fix #10354 was not full/complete. The problem lies in the fact that `kube-proxy` creates a rule like: ``` chain nat-prerouting { type nat hook prerouting priority dstnat; policy accept; jump services } ``` This chain has a prerouting hook, which gets executed before Talos's input hook, and rewrites (does DNAT) for NodePort services before Talos has a chance to block the packet, but rewritten packet hits the input chain with DNAT address, or might be forwarded to another host and never hit the firewall again. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>	2025-02-28 19:56:52 +04:00
..
nodeport.yaml	fix: block NodePort services with ingress firewall	2025-02-28 19:56:52 +04:00

fix: block NodePort services with ingress firewall

The previous fix #10354 was not full/complete.

The problem lies in the fact that `kube-proxy` creates a rule like:

```
chain nat-prerouting {
	type nat hook prerouting priority dstnat; policy accept;
	jump services
}
```

This chain has a prerouting hook, which gets executed before Talos's
input hook, and rewrites (does DNAT) for NodePort services before Talos
has a chance to block the packet, but rewritten packet hits the input
chain with DNAT address, or might be forwarded to another host and never
hit the firewall again.

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>

2025-02-28 19:56:52 +04:00

nodeport.yaml

fix: block NodePort services with ingress firewall

2025-02-28 19:56:52 +04:00