Longhorn Networking

Overview

This page documents the networking communication between components in the Longhorn system. Using this information, users can write Kubernetes NetworkPolicy to control the inbound/outbound traffic to/from Longhorn components. This helps to reduce the damage when a malicious pod breaks into the in-cluster network.

We have provided some NetworkPolicy example yamls at here. Note that depending on the deployed CNI, not all Kubernetes clusters support NetworkPolicy. See here for more detail.

Note: If you are writing network policies, please revisit this page before upgrading Longhorn to make the necessary adjustments to your network policies.

Longhorn Manager

Ingress:

FromPortProtocol
Other Longhorn Manager9500TCP
UI9500TCP
Longhorn CSI plugin9500TCP
Backup/Snapshot Recurring Job Pod9500TCP
Longhorn Driver Deployer9500TCP

Egress:

ToPortProtocol
Other Longhorn Manager9500TCP
Instance Manager8500; 10000-30000TCP
Backing Image Manager8000; 8001TCP
External BackupstoreUser definedTCP
Kubernetes API serverKubernetes API server portTCP

UI

ingress:

Users defined

egress:

ToPortProtocol
Longhorn Manager9500TCP

Instance Manager

ingress

FromPortProtocol
Longhorn Manager8500; 10000-30000TCP
Other Instance Manager10000-30000TCP
Node in the Cluster3260TCP
Backing Image Manager10000-30000TCP

egress:

ToPortProtocol
Other Instance Manager10000-30000TCP
Backing Image Manager8002TCP
External BackupstoreUser definedTCP

Longhorn CSI plugin

ingress

None

egress:

ToPortProtocol
Longhorn Manager9500TCP

Additional Info

Longhorn CSI plugin pods communitate with CSI sidecar pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

CSI sidecar (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter)

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

Additional Info

CSI sidecar pods communitate with Longhorn CSI plugin pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

Driver deployer

ingress:

None

egress:

ToPortProtocol
Longhorn Manager9500TCP
Kubernetes API serverKubernetes API server portTCP

Conversion and Admission Webhook Server

ingress:

FromPortProtocol
Webhook Server9443TCP

Engine Image

ingress:

None

egress:

None

Backing Image Manager

ingress:

FromPortProtocol
Longhorn Manager8000TCP
Other Backing Image Manager30001-31000TCP

egress:

ToPortProtocol
Instance Manager10000-30000TCP
Other Backing Image Manager30001-31000TCP

Backing Image Data Source

ingress:

FromPortProtocol
Longhorn Manager8001TCP
Instance Manager8002TCP

egress:

ToPortProtocol
Instance Manager10000-30000TCP
User provided server IP to download the images fromuser definedTCP

Share Manager

ingress

FromPortProtocol
Node in the cluster2049TCP

egress:

None

Backup/Snapshot Recurring Job Pod

ingress:

None

egress:

ToPortProtocol
Longhorn Manager9500TCP

Uninstaller

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

Discover Proc Kubelet Cmdline

ingress:

None

egress:

None


Original GitHub issue: https://github.com/longhorn/longhorn/issues/1805