When I deploy my application its externally exposed by design (its bypassing UFW). I would like to block specific ports manually on rancher nodes.
For example: I deploy nginx app using rancher on port 8081 and deploy container manually using:
docker run --name some-nginx -d -p 8080:80 nginx
Using this tutorial I force docker to not bypassing UFW:
And it works, but only for containers deployed “by hand”. When I block all ports on UFW, nginx deployed on port 8080 (by hand) its not accessible, deployed by rancher is externally accessible.
My conclusion is containers deployed by rancher bypassing UFW even when “pure docker” isnt.
How to manage it? How to force rancher to respecting UFW on rancher host?
Is there a reason you’re publishing ports you don’t want to be exposed in the first place? The obvious solution would be to just not expose things that you don’t want to be exposed, or use ClusterIPs for them so they’re available only within the cluster.
For example - I deploy application only for internal use. In my company, from specific IP. When I use node port its fully accessible from external IP. When I use cluster IP its not accessible from browser (no port?).
Am I wrong? The idea is to deploy app and block it on firewall, allow only from specific IPs. But its bypassing firewalls :>.
Should I create cluster with only local IPs and reverse proxy ahead of it? Is it necessary? Is there a simpler solution?
I think you should use whitelist ingress annotation for limiting access to specific src ip. normally depending of your cluster setup… you could also used a front facing reverse proxy/load balancer…
I never tryed to use UFW for that … but depending of your needs ingress annotation could answer some of them for sure…