我有一个 k8s 集群在带有外部 HTTPS 负载均衡器的 Ingress 后面运行一个服务,我有身份感知代理保护我的系统。入口有一个公共(public) IP,当我用 nmap 扫描它时,我看到以下开放端口:
PORT STATE SERVICE
43/tcp open whois
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
89/tcp open su-mit-tg
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
700/tcp open epp
993/tcp open imaps
995/tcp open pop3s
1084/tcp open ansoft-lm-2
1085/tcp open webobjects
1089/tcp open ff-annunc
1443/tcp open ies-lm
1935/tcp open rtmp
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5432/tcp open postgresql
5900/tcp open vnc
5901/tcp open vnc-1
5999/tcp open ncd-conf
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8089/tcp open unknown
8090/tcp open opsmessaging
8099/tcp open unknown
9100/tcp open jetdirect
9200/tcp open wap-wsp
20000/tcp open dnp
30000/tcp open ndmps
我的问题是为什么所有这些端口都打开,它是否从 IAP 打开,如果是,这就是为什么我能够在没有身份验证的情况下扫描似乎是 Ingress IP 的内容,并且最终我可以关闭除 HTTP 之外的所有端口/S 安全端口?如果是 IAP,也许这些需要打开以转发可能可用但不在我的集群中的不同服务的不同流量;这能解释这个吗?
任何提示都会很好,我已经 RTFMed 并且关于 Ingress 的一切似乎都指向它只接受 HTTP/S 流量并转发到服务/部署。这个 IAP 是让这些端口保持打开状态还是真的在 Ingress 上?它是与 Ingress 关联的 IP 地址。我是否需要向我的集群添加 FrontendConfig 来配置 Ingress 以关闭这些端口?
提前致谢!
最佳答案
我收到了 Google Cloud Platform 出色的支持团队的回复。谢谢谷歌!他们证实了我的假设,即这些端口对各种潜在服务开放,但我们的配置只允许我们向后端请求的内容。将此留在 stackoverflow 中,以防其他人需要此信息。
Clients communicate with a Google Front End (GFE) using your Kubernetes Load Balancer's external IP address and the GFE communicates with your backend services using the internal IP address. The GFE is actually forwarding the traffic to the backend instances [1]. Each GFE is actually serving content as a proxy and is not part of your configuration [2].
Each GFE serves traffic for many customers as part of its overall security design [3] and the external IP address for your Kubernetes load balances is programmed on a number of shared GFE servers worldwide. Because the GFE is not unique to your or your load balancer's configuration, it also accepts traffic on other TCP ports. However, incoming traffic to the GFE on other ports is NOT sent to your backends. This way, the GFE secures your instances by only acting on requests to ports you've configured - even if it's listening to more.
For that reason, you see more ports open than expected.
You can read more about this behavior here [4].
关于security - GCP 库伯内斯 : Ingress and external load balancer with IAP lots of open ports scanning nmap,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65148555/