Skip to content

service port security broken in v1.0

Describe the bug In v1.0 applying the flag --onlyAllowTrafficServicePorts or setting enable_service_security to "true" doesn't apply any rules to restrict ports. v0.9.2 doesn't have this issue.

To Reproduce Steps to reproduce the behavior:

  1. Deploy RKE2 with Cilium
  2. Deploy kube-vip in load balancer mode with bgp
  3. create a LB service
  4. curl https://<lb_ip>:6443,10250,etc... from upstream device

Expected behavior The kubernetes api ports shouldn't be accessible via the LB IP when service port security is enabled.

Environment (please complete the following information):

  • OS/Distro: NixOS 25.05
  • Kubernetes Version: v1.31.7+rke2r1
  • Kube-vip Version: v1.0

Kube-vip.yaml:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-vip-lb
  namespace: kube-vip
spec:
  selector:
    matchLabels:
      app: kube-vip-lb
  template:
    metadata:
      labels:
        app: kube-vip-lb
    spec:
      containers:
      - name: kube-vip
        image: ghcr.io/kube-vip/kube-vip-iptables:v1.0
        args:
        - manager
        env:
        - name: vip_loglevel
          value: "-4"
        - name: svc_enable
          value: "true"
        - name: enable_service_security
          value: "true"
        - name: lb_class_name
          value: kube-vip
        - name: bgp_enable
          value: "true"
        - name: bgp_routerid
          valueFrom:
            fieldRef:
              fieldPath: status.hostIP
        - name: bgp_peers
          value: "192.168.100.11:64512,192.168.100.12:64512"
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - NET_RAW
      hostNetwork: true
  updateStrategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
    type: RollingUpdate