This page documents the networking communication between components in the Longhorn system. Using this information, users can write Kubernetes NetworkPolicy to control the inbound/outbound traffic to/from Longhorn components. This helps to reduce the damage when a malicious pod breaks into the in-cluster network.

We have provided some NetworkPolicy example yamls at here. Note that depending on the deployed , not all Kubernetes clusters support NetworkPolicy. See here for more detail.

Longhorn Manager

Ingress:

Egress:

ToPortProtocol
Other Longhorn Manager9500TCP
Instance Manager8500; 10000-30000TCP
Backing Image Manager8000; 8001TCP
External BackupstoreUser definedTCP
Kubernetes API serverKubernetes API server portTCP

UI

ingress:

Users defined

egress:

ToPortProtocol
Longhorn Manager9500TCP

Instance Manager

ingress

FromPortProtocol
Longhorn Manager8500; 10000-30000TCP
Other Instance Manager10000-30000TCP
Node in the Cluster3260TCP
10000-30000TCP

egress:

ToPortProtocol
Other Instance Manager10000-30000TCP
Backing Image Manager8002TCP
External BackupstoreUser definedTCP

Longhorn CSI plugin

ingress

None

egress:

Additional Info

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

Additional Info

CSI sidecar pods communitate with Longhorn CSI plugin pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

Driver deployer

ingress:

None

egress:

ToPortProtocol
Longhorn Manager9500TCP
Kubernetes API serverTCP

Conversion and Admission Webhook Server

ingress:

FromPortProtocol
Webhook Server9443TCP

NFS Recovery Backend Server

ingress:

FromPortProtocol
Recovery Backend Server9600TCP

Engine Image

ingress:

None

egress:

None

ingress:

egress:

ToPortProtocol
Instance Manager10000-30000TCP
Other Backing Image Manager30001-31000TCP

Backing Image Data Source

ingress:

FromPortProtocol
Longhorn Manager8001TCP
Instance Manager8002TCP

egress:

ToPortProtocol
Instance Manager10000-30000TCP
User provided server IP to download the images fromuser definedTCP

Share Manager

ingress

FromPortProtocol
Node in the cluster2049TCP

egress:

Backup/Snapshot Recurring Job Pod

ingress:

None

egress:

Uninstaller

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

ingress:

None

egress:

None


Original GitHub issue: https://github.com/longhorn/longhorn/issues/1805