k3s will listen on random ports #9724
-
Environmental Info: Node(s) CPU architecture, OS, and Version: Linux dev 4.19.90-2211.5.0.0178.22.uel20.aarch64 #1 SMP Thu Nov 24 10:33:07 CST 2022 aarch64 aarch64 aarch64 GNU/Linux 1 server 0 agent Describe the bug:
When using netstat to check the listening port, a random port 38497 will be exposed. I want to use k3s on a single machine and not expose any ports at 0.0.0.0.
install command:
Expected behavior: All ports are listening on node-ip 198.19.11.11 or 127.0.0.1, not on 0.0.0.0
Additional context / logs: |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 8 replies
-
After my observation, this port is the spdy port of kubelet, and the kubectl exec command will communicate with this port.
However, when created using k3s, the port will be monitored at all addresses, which exposes the port to the outside by default, which may cause security risks. How can I set the listening port to listen on localhost? |
Beta Was this translation helpful? Give feedback.
-
i've configured my k3s with
how to force k3s to listen on 127.0.0.1 for spdy port, and set address to bind-address for Kubelet metrics port ? |
Beta Was this translation helpful? Give feedback.
-
ok i found how to force kublet metrics port listen:
|
Beta Was this translation helpful? Give feedback.
-
@bingfengfeifei what config are you using? I did not manage to reproduce that env. I never see a random port listening:
|
Beta Was this translation helpful? Give feedback.
-
i confirm is linked to docker option with docker option:
and without docker option:
|
Beta Was this translation helpful? Give feedback.
-
@brandond there a solution to fix that before PR while be validated ? |
Beta Was this translation helpful? Give feedback.
Looks like it's the
--streaming-bind-addr
flag:https://github.com/Mirantis/cri-dockerd/blob/b138f5226ae901b99ea34d40ab1eaed1c26445a4/cmd/server.go#L171-L183
We could probably take a look at setting this to a fixed value in future releases.