I have rancher install on a single host with a number of services which all define internal port bindings. I also have a single loadbalancer which forwards 80/443 to the relevant services. This works wonderfully.
However, I was somewhat horrified to discover that every ‘internal’ port is mapped to a dynamic port on the host (obviously) but that is also accessible to the outside world.
Specifically, if my internal container has an IP of 10.42.1.1 and a dynamic port of 63321 then visiting host:63321 bypasses the loadbalancer and takes you through to port 80.
Is this expected? I assumed that Rancher would update iptables to prevent accessing these?
What have I missed?