Re: Gateway API opens 0-65535 TCP ports for Health...

ElBarto · 01-02-2024 12:02 PM

Hello Google Team,

I have been using the new Gateway API in Google Kubernetes Engine (GKE) and have encountered a concern from our security team regarding the gkegw1-tsre-l7-default-global firewall rule. This rule currently opens a wide range of ports (0-65535) for health checks, as noted in the documentation [1]. However, upon examining the HealthChecks in the Compute Engine, it appears that only ports 80 and 10256 are actively used, with port 80 being the primary one for HealthChecks related to the Gateway.

Could you please provide an explanation for why the Gateway API requires all these ports to be open or what configuration might be missing on my side to reduce the number of ports?

Thank you for your attention to this matter.

Best regards,

A

[1] https://cloud.google.com/kubernetes-engine/docs/concepts/firewall-rules#gateway-fws

Marvin_Lucero

Hi @ElBarto ,

The firewall rule you mentioned, "gkegw1-tsre-l7-default-global", is created by default by GKE for the Gateway API. Since the Gateway API uses dynamic ports for health checks, the rule opens a wider range for ports 0-65535.

The Gateway API checks the health of its control plane components, which might use various ports for these health checks to ensure they are available and resilient to faults. Keeping a range of ports open provides flexibility in scheduling and distributing these components across nodes in the GKE cluster. Even if you see only ports 80 and 10256 in use now, the dynamic port range is there on purpose. It's designed that way to handle possible changes or different setups in the future.

I understand that your security team is worried about opening many ports, but you have to consider and discuss with them about the security needs. I suggest you explore the option of limiting the range of open ports based on the requirements of your app. You may check this documentation about best practice for firewall rules including ports.

ElBarto

Hi Marvin,

Thanks for the clarification.

I just wanted to confirm with you that there is no way to limit the number of ports opened by the Gateway "gkegw1-tsre-l7-default-global". Or am I missing something?

irshada

Its not the answer, just wanted to confirm if you were able to find the solution as i am facing the same issue. @ElBarto were you able to find a way to control the Ports opened by the gateway?

garisingh

It's not like the ports are wide-open to the world. Access to the ports is limited to the Google ranges for load balancers as well as any proxy subnet range you create.

irshada

Thanks for the response @garisingh. I Understand that its not wide-open to the world, but what if I want to limit the ports even for my proxy subnet. It shows a security vulnerability with the default port range. is there a way to do that via terraform or something?

garisingh

You can create your own firewall rule(s) with a higher priority than 1000 (which is the priority used by the automatically generated rules).

Gateway API opens 0-65535 TCP ports for HealthChecks even though only the port 80 is ever used