cannot stop loadbalancer from binding to my public IP #11504
Comments
|
Please read the docs: https://docs.k3s.io/networking/networking-services#how-servicelb-works
|
|
Note that the --bind-address only affects the apiserver. It does not affect the loadbalancer, as the loadbalancer uses iptables to forward traffic and does not actually 'bind' to anything. Again, this is all covered in the docs. |
|
I have spend hours reading all kinds of docs, including your link. It does not specify how do I change this behaviour. Can you explain to me how I get the setup that I want? I do not want the cluster to be open on my public IP.
…On 27 Dec 2024, 00:31, at 00:31, Brad Davidson ***@***.***> wrote:
Note that the --bind-address only affects the apiserver. It does not
affect the loadbalancer, as the loadbalancer uses iptables and does not
actually 'bind' to anything.
--
Reply to this email directly or view it on GitHub:
#11504 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
|
Set the node IP to the private IP, and don't set an external IP. |
|
Ah okay! How do I unset the external ip then?
Get BlueMail for Android
…On 27 Dec 2024, 01:01, at 01:01, Brad Davidson ***@***.***> wrote:
Set the node IP to the private IP, and don't set an external IP.
--
Reply to this email directly or view it on GitHub:
#11504 (comment)
You are receiving this because you authored the thread.
Message ID: ***@***.***>
|
|
After changing the CLI args, you'd probably need to |
|
@brandond I created a brand new vps, only added --node-ip and did not supply --node--external-ip and still I can reach default traefik and any other service I create on the public ip. is there any way to stop this behaviour? the docs are really unclear on this |
|
You can set the loadBalancerSourceRanges field on your Service spec to restrict it. Ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/#:~:text=loadBalancerSourceRanges Note that servicelb does not "bind" to anything. It just works with the kubelet to forward traffic from the hostport, to the service. |
|
@brandond ah thats interesting thanks, how do I that for everything including traefik? because traefik is by default enabled I dont create that service myself? |
|
It is configured at the Service level, so you'd need to set it through traefik chart values. This is all just core Kubernetes Loadbalancer Service stuff, not specific to Traefik or K3s. |
|
@brandond thanks! sorry for that I am just a bit bewildered by all the options so not sure what is k3s specific or not. My simple test works now by adding it to the traefik chart as described in the docs here: https://docs.k3s.io/helm#customizing-packaged-components-with-helmchartconfig and now the little test vps seems to work like I want. thanks again! |
Environmental Info:
K3s Version:
k3s version v1.31.3+k3s1 (6e6af98)
go version go1.22.8
Node(s) CPU architecture, OS, and Version:
Linux trajan 6.12.6-arch1-1 #1 SMP PREEMPT_DYNAMIC Thu, 19 Dec 2024 21:29:01 +0000 x86_64 GNU/Linux
Cluster Configuration:
single server single node on a hetzner VPS
Describe the bug:
I want k3s and the load balancer to only bind on an internal interface but it always binds to the public one as well. I cannot get it to stop binding to 0.0.0.0
Steps To Reproduce:
Expected behavior:
curl localhost or curl should give an error that it cannot connect
Actual behavior:
a http response is given from traefik
Additional context / logs:
load balancing rules:
get svc --all-namespaces
kube-system traefik LoadBalancer 10.43.69.59 10.3.23.1 80:30497/TCP 2d10h
The text was updated successfully, but these errors were encountered: