[英]GCP Kubernetes: Ingress and external load balancer with IAP lots of open ports scanning nmap
I have a k8s cluster running a Service behind an Ingress with an external HTTPS load balancer and I have Identity-aware proxy protecting my system.我有一个 k8s 集群,在 Ingress 后面运行一个服务,带有一个外部 HTTPS 负载均衡器,并且我有身份感知代理来保护我的系统。 The ingress has a public IP and when I scan it with nmap I see the following open ports:
入口有一个公共 IP ,当我用 nmap 扫描它时,我看到以下开放端口:
PORT STATE SERVICE
43/tcp open whois
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
89/tcp open su-mit-tg
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
700/tcp open epp
993/tcp open imaps
995/tcp open pop3s
1084/tcp open ansoft-lm-2
1085/tcp open webobjects
1089/tcp open ff-annunc
1443/tcp open ies-lm
1935/tcp open rtmp
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5432/tcp open postgresql
5900/tcp open vnc
5901/tcp open vnc-1
5999/tcp open ncd-conf
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8089/tcp open unknown
8090/tcp open opsmessaging
8099/tcp open unknown
9100/tcp open jetdirect
9200/tcp open wap-wsp
20000/tcp open dnp
30000/tcp open ndmps
My question is why are all these ports open, is it open from the IAP and if so is this why I'm able to scan what seems to be the Ingress IP without authentication, and ultimately can I close all but the HTTP/S ports for security?我的问题是为什么所有这些端口都打开,它是否从 IAP 打开,如果是这样,这就是为什么我能够在没有身份验证的情况下扫描似乎是 Ingress IP 的东西,最终我可以关闭除 HTTP/S 端口之外的所有端口为了安全? If it is the IAP, perhaps these need to be open to forward different traffic for different services that MAY be available but that are not in my cluster;
如果是 IAP,也许这些需要开放,以便为可能可用但不在我的集群中的不同服务转发不同的流量; does that explain this?
这能解释这个吗?
Any hints would be lovely, I've RTFMed and everything about the Ingress seems to point to it only accepting HTTP/S traffic and forwarding to the Service/Deployment.任何提示都会很可爱,我已经 RTFMed 并且关于 Ingress 的所有内容似乎都指向它只接受 HTTP/S 流量并转发到服务/部署。 Is this IAP that is leaving these ports open or is it truly on Ingress?
这个 IAP 是让这些端口处于打开状态还是真的在 Ingress 上? It is the IP address associated with the Ingress.
它是与 Ingress 关联的 IP 地址。 Do I need to add a FrontendConfig to my cluster to configure Ingress to have these ports closed?
我是否需要向我的集群添加 FrontendConfig 来配置 Ingress 以关闭这些端口?
Thanks in advance!提前致谢!
I got a response from the wonderful support team at Google Cloud Platform.我收到了 Google Cloud Platform 出色支持团队的回复。 Thank you Google.
谢谢谷歌。 They confirmed my assumption that these ports are open for a variety of potential services but our configuration only allows what we have requested to our backend.
他们证实了我的假设,即这些端口对各种潜在服务开放,但我们的配置只允许我们向后端请求的内容。 Leaving this in stackoverflow in case any others need this info.
将其留在 stackoverflow 中,以防其他人需要此信息。
Clients communicate with a Google Front End (GFE) using your Kubernetes Load Balancer's external IP address and the GFE communicates with your backend services using the internal IP address.
客户端使用您的 Kubernetes 负载均衡器的外部 IP 地址与 Google 前端 (GFE) 通信,而 GFE 使用内部 ZA12A3079E14CED46E69BA52B8A90B 地址与您的后端服务通信。 The GFE is actually forwarding the traffic to the backend instances [ 1 ].
GFE 实际上将流量转发到后端实例 [ 1 ]。 Each GFE is actually serving content as a proxy and is not part of your configuration [ 2 ].
每个 GFE 实际上都作为代理提供内容,而不是您的配置 [ 2 ] 的一部分。
Each GFE serves traffic for many customers as part of its overall security design [ 3 ] and the external IP address for your Kubernetes load balances is programmed on a number of shared GFE servers worldwide.
每个 GFE 作为其整体安全设计 [ 3 ] 的一部分为许多客户提供流量,并且您的 Kubernetes 负载平衡的外部 IP 地址在全球许多共享 GFE 服务器上进行编程。 Because the GFE is not unique to your or your load balancer's configuration, it also accepts traffic on other TCP ports.
由于 GFE 不是您或您的负载均衡器配置所独有的,它还接受其他 TCP 端口上的流量。 However, incoming traffic to the GFE on other ports is NOT sent to your backends.
但是,其他端口上到 GFE 的传入流量不会发送到您的后端。 This way, the GFE secures your instances by only acting on requests to ports you've configured - even if it's listening to more.
这样,GFE 仅通过对您配置的端口的请求采取行动来保护您的实例 - 即使它正在侦听更多。
For that reason, you see more ports open than expected.
因此,您会看到比预期更多的端口打开。
You can read more about this behavior here [ 4 ].
您可以在此处阅读有关此行为的更多信息 [ 4 ]。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.