Limit node-proxy nodeport to local address

We’ve created a kubernetes cluster with local nodes. These nodes have both an internal and external ip. We’ve configured --address to make them all use their internal ip to communicate.

But when we create a service of type nodeport… It seems that it still binds on interfaces of the node.

We found a handy option provided by the kube-proxy: --nodeport-addresses but it seems that its not implemented by RKE. Ideally we would drop it into our cluster config:

    always_pull_images: false
    pod_security_policy: false
    service_node_port_range: "30000-32767"
    fail_swap_on: false
    nodeport-addresses: "[]" indicates no options are even implemented for kubeproxy. A look through the code seems to confirm this.

I’m thinking we could possibly add a highlevel iptables rule to block… But since kube-proxy messes with the iptables also… this isn’t ideal. Also this is more overhead we have to add to the creation of new nodes.

Any suggestions? Is this something we could manually update in etcd/k8s state or container startup somewhere to add? Or is there maybe another option that will give us the desired outcome here?