Block all incoming traffic except for a service inside kubernetes

[wokalski]

We're using boundary for remote access to various targets. Thanks to boundary we heavily rely on SSO.

I want to simplify auth and additionally limit the attack surface. I'd like to talk to the Talos API via a worker. The worker would be the only service with an ingress. I don't understand if it's possible/how to:

• connect from a pod (the boundary worker)
• set up the firewall to restrict ingress from the outside to one port

Im also thinking that ideally I'd like not to configure the firewall manually so I just need a way to say "don't open the talos API to the public, and don't open anything to the public unless it's a deployment with a public API".

[sergelogvinov]

Hello, Talos dos not have firewall support by API. But you can do it using the daemonsets/static pods. But this is not recommended. You own iptabeles rules can affect the CNI plugin.

Cilium has ebpf node firewall , called CiliumClusterwideNetworkPolicy. This feature can help you.
See example:

# open to world kubernetes control-plane/talos ports
#
apiVersion: "cilium.io/v2"
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: controlplane-base
spec:
  nodeSelector:
    matchLabels:
      node-role.kubernetes.io/control-plane: ""
  ingress:
    - toPorts:
        - ports:
          - port: "6443"
            protocol: TCP
          - port: "2379"
            protocol: TCP
          - port: "2380"
            protocol: TCP
          - port: "50000"
            protocol: TCP
          - port: "50001"
            protocol: TCP