Networking

Overview

You can use the following information to write Kubernetes NetworkPolicy to control the inbound/outbound traffic between Longhorn components. This helps to reduce the damage when a malicious pod breaks into the in-cluster network.

The helm chart will install NetworkPolicy objects when the networkPolicies.enabled value is set to true. The manifests of these objects can be viewed in the git repository. Note that depending on the deployed CNI, not all Kubernetes clusters support NetworkPolicy. See the Kubernetes documentation for details.

If you are writing network policies, please revisit this page before upgrading Longhorn to make the necessary adjustments to your network policies. Note: Depending on your CNI for cluster network, there might be some delay when Kubernetes applying netowk policies to the pod. This delay may fail Longhorn recurring job for taking Snapshot or Backup of the Volume since it cannot access longhorn-manager in the beginning. This is a known issue found in K3s with Traefik and is beyond Longhorn control.

Longhorn Manager

Ingress:

From | Port | Protocol — | — | — Other Longhorn Manager | 9500 | TCP UI | 9500 | TCP Longhorn CSI plugin | 9500 | TCP Backup/Snapshot Recurring Job Pod | 9500 | TCP Longhorn Driver Deployer | 9500 | TCP Conversion Webhook Server | 9501 | TCP Admission Webhook Server | 9502 | TCP Recovery Backend Server | 9503 | TCP

Egress:

UI

ingress:

Users defined

egress:

To | Port | Protocol — | — | — Longhorn Manager | 9500 | TCP

Instance Manager

ingress

egress:

To | Port | Protocol — | — | — Other Instance Manager | 10000-30000 | TCP Backing Image Data Source | 8002 | TCP External Backupstore | User defined | TCP

Longhorn CSI plugin

ingress

None

egress:

To | Port | Protocol — | — | — Longhorn Manager | 9500 | TCP

Additional Info

Longhorn CSI plugin pods communitate with CSI sidecar pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

CSI sidecar (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter)

ingress:

None

egress:

To | Port | Protocol — | — | — Kubernetes API server | Kubernetes API server port | TCP

Additional Info

CSI sidecar pods communitate with Longhorn CSI plugin pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

Driver deployer

ingress:

None

egress:

To | Port | Protocol — | — | — Longhorn Manager | 9500 | TCP Kubernetes API server | Kubernetes API server port | TCP

Engine Image

ingress:

None

egress:

None

Backing Image Manager

ingress:

From | Port | Protocol — | — | — Longhorn Manager | 8000 | TCP Other Backing Image Manager | 30001-31000 | TCP

egress:

To | Port | Protocol — | — | — Instance Manager | 10000-30000 | TCP Other Backing Image Manager | 30001-31000 | TCP Backing Image Data Source | 8000 | TCP

Backing Image Data Source

ingress:

From | Port | Protocol — | — | — Longhorn Manager | 8000 | TCP Instance Manager | 8002 | TCP Backing Image Manager | 8000 | TCP

egress:

To | Port | Protocol — | — | — Instance Manager | 10000-30000 | TCP User provided server IP to download the images from | user defined | TCP

Share Manager

ingress

From | Port | Protocol — | — | — Node in the cluster | 2049 | TCP

egress:

None

Backup/Snapshot Recurring Job Pod

ingress:

None

egress:

To | Port | Protocol — | — | — Longhorn Manager | 9500 | TCP

Uninstaller

ingress:

None

egress:

To | Port | Protocol — | — | — Kubernetes API server | Kubernetes API server port | TCP

Discover Proc Kubelet Cmdline

ingress:

None

egress:

None

Original GitHub issue: https://github.com/longhorn/longhorn/issues/1805