Open Port Inventory

A Service Mesh Manager installation requires the following open service ports. Opening only the required ports helps to keep deployment’s attack surface is the as small as possible. Each service is described in YAML format, with the list of all the ports how the service uses them. This helps to understand the risks associated with all the open ports.

Every service is described in a YAML file using the following format:

namespace: smm-system
name: mesh-manager
description: is used by our mesh-manager instance which manages istio operators on a kubernetes cluster
ports:
  - name: https
    number: 443
    use: handle https traffic and queries with tls/ssl

Useful commands

The following commands help you examine the services of your Service Mesh Manager deployment.

List services under smm-system namespace:

kubectl get services -n smm-system

Inspect a particular service, for example, smm-leo:

kubectl describe service smm-leo -n smm-system

Services (namespace-scoped)

cert-manager

The cert-manager namespace contains the following services.

cert-manager

The cert-manager instance of Service Mesh Manager provides Kubernetes certificate management as part of the controller-component. The service uses these ports:

  • tcp-prometheus-servicemonitor (9402): The default port for the cert-manager service.

cert-manager-webhook

The cert-manager instance of Service Mesh Manager uses the service as part of the webhook-component. The service uses these ports:

  • https (443): Incoming http traffic for the webhooks.

istio-system

The istio-system namespace contains the following services.

istio-meshexpansion-cp-v115x

Service Mesh Manager provides multicluster expansion capabilities using this service, which is used for version 1.10 istio mesh-gateway expansion. The service uses these ports:

  • tcp-status-port (15021): Health check (readiness-probe) port for Mesh Overview functionality and troubleshooting istio related issues.

  • tls-istiod (15012): Handles incoming gRPC traffic for accessing to istiod from passive clusters.

  • tls-istiodwebhook (15017): Handles incoming gRPC traffic for the istiod webhooks.

  • tls (15443): Handles incoming TLS traffic from other clusters.

  • tcp-smm-als-tls (50600): Handles incoming TLS traffic to access log services.

  • tcp-smm-zipkin-tls (59411): Default Zipkin port that handles incoming HTTPS traffic for distributed tracing services.

istio-meshexpansion-cp-v115x-external

Service Mesh Manager provides multicluster expansion capabilities using this external service, which is used for version 1.10 istio mesh-gateway expansion. The service uses these ports:

  • tcp-status-port (15021): Health check (readiness-probe) port for Mesh Overview functionality and troubleshooting istio related issues.

  • tls-istiod (15012): Handles incoming gRPC traffic for accessing to istiod from passive clusters.

  • tls-istiodwebhook (15017): Handles incoming gRPC traffic for the istiod webhooks.

  • tls (15443): Handles incoming TLS traffic from other clusters.

  • tcp-smm-als-tls (50600): Handles incoming TLS traffic to access log services.

  • tcp-smm-zipkin-tls (59411): Default Zipkin port that handles incoming HTTPS traffic for distributed tracing services.

istiod-cp-v115x

Used by the Istio 1.10 control plane. The service uses these ports:

  • grpc-xds (15010): Handles gRPC traffic for xds transport protocol, which is used for Envoy discovery services and Istio proxies.

  • https-dns (15012): Handles DNS requests (with TLS) for the Istio service-mesh.

  • https-webhook (443): Handles incoming HTTPS traffic (with TLS) for Istio webhook management.

  • http-monitoring (15014): Handles HTTP requests or queries for monitoring of the traffic management between microservices.

smm-system

The smm-system namespace contains the following services.

istio-operator-v113x

Istio-operator version 1.13, which is the controller of Istio resources, uses this service to manage Istio 1.13 deployments. The service uses these ports:

  • https (443): Handles the incoming HTTPS traffic for the Istio webhook.

istio-operator-v113x-authproxy

RBAC-authenticated endpoints use this service for istio-operator version 1.13. The service uses these ports:

  • https (8443): Authenticated (RBAC or TLS) endpoint for providing access to Prometheus metrics.

istio-operator-v115x

Istio-operator version 1.15, which is the controller of Istio resources, uses this service to manage Istio 1.15 deployments. The service uses these ports:

  • https (443): Handles the incoming HTTPS traffic for the Istio webhook.

istio-operator-v115x-authproxy

RBAC-authenticated endpoints use this service for istio-operator version 1.15. The service uses these ports:

  • https (8443): Authenticated (RBAC or TLS) endpoint for providing access to Prometheus metrics.

mesh-manager

The mesh-manager instance of Service Mesh Manager that manages Istio operators on a Kubernetes cluster uses this service. The service uses these ports:

  • https (443): Handles HTTPS traffic and queries with TLS/SSL.

mesh-manager-authproxy

The mesh-manager instance of Service Mesh Manager acts as an authentication proxy to the mesh-manager service. The service uses these ports:

  • https (8443): Authenticated (RBAC or TLS) endpoint for providing access to Prometheus metrics.

prometheus-node-exporter

The Prometheus instances use this service as an exporter for Kubernetes nodes. The service uses these ports:

  • metrics (19101): Exposes node-level metrics to Prometheus.

prometheus-operated

Used by the Prometheus instances of Service Mesh Manager. The service uses these ports:

  • http (9090): Handles normal HTTP traffic and Prometheus queries.

  • grpc (10901): Default port to handle incoming gRPC traffic.

smm

The Service Mesh Manager uses this service as part of the application-component. The service uses these ports:

  • http (80): Handles GraphQL API traffic and queries.

  • http-metrics (10000): Exports metrics to the Prometheus service.

smm-als

The Service Mesh Manager uses the smm-als service as part of the als-component. The service uses these ports:

  • grpc-als (50600): The container port of the grpc-als container, used for accessing log services.

smm-authentication

The smm-authentication instance verifies that a user has a valid token or certificate to make API calls to the backend service. The service uses these ports:

  • http (80): Handles HTTP traffic and GraphQL queries.

smm-expansion-gw

This is an external service of the mesh expansion gw of the local cluster. It is synced with the cluster registry to provide reachability of smm from the peer clusters even in case of multiple active istio controlplanes. The service uses these ports:

smm-federation-gateway

The smm-federation-gateway instance provides federation to GraphQL services via this service. The service uses these ports:

  • http (80): Handles HTTP traffic and GraphQL queries.

smm-grafana

The Service Mesh Manager uses the Grafana dashboard monitoring service as part of the grafana-component. The service uses these ports:

  • http (3000): Exposes GraphQL web interface and API endpoints over HTTP.

smm-health

is used by our for smm-health instance which includes health controller and exporter and is part of health-component The service uses these ports:

  • http-metrics (8080): export metrics to prometheus service

smm-health-api

The smm-health-api instance uses the service for the GraphQL API. The service uses these ports:

  • http-graphql (80): Handles HTTP traffic and GraphQL queries.

smm-ingressgateway

The service is part of the ingressgateway-component which acts as a loadbalancer, receiving incoming HTTP or TCP connections. The service uses these ports:

  • http2 (80): Handles traffic to the Service Mesh Manager dashboard.

smm-jaeger-agent

Jaeger agents can send traces to the Jaeger collector. The service is part of the tracing-component. The service uses these ports:

  • udp-agent-zipkin (5775): Default UDP port for zipkin-thrift tracing services.

  • udp-agent-compact (6831): Default UDP port for the Jaeger agent endpoint.

  • udp-agent-binary (6832): Default UDP port for the Jaeger agent binary protocol.

smm-jaeger-collector

The Jaeger collector receives traces from Jaeger agents via this service. It is part of the tracing-component. The service uses these ports:

  • tcp-smm-jaeger-collector-tchannel (14267): Default TCP port of tchannel for Jaeger collector.

  • http-jaeger-collector (14268): Default port of Jaeger collector to handle HTTP traffic.

smm-jaeger-query

Service Mesh Manager uses this service to access Jaeger. It is part of the tracing-component. The service uses these ports:

  • http-query (16686): Handles normal HTTP traffic and queries for the tracing services.

smm-kubelet-node-discovery

kubelet uses this service to export metrics. The service uses these ports:

  • https-metrics (10250): kubelet-service default port, used for exporting metrics to Prometheus services over TLS/SSL.

  • http-metrics (10255): kubelet-service default port, used for exporting metrics to Prometheus services without encryption.

  • cadvisor (4194): Port of container advisor that exposes Prometheus out of the box.

smm-kubestatemetrics

Part of the kubestatemetrics-component. The service uses these ports:

  • http-monitoring (42422): Monitoring port for the kube-state-metrics application (HTTP).

  • http-telemetry (15014): Telemetry port for the kube-state-metrics application (HTTP).

smm-leo

Makes cert-manager Istio-aware. It is part of the leo-component. The service uses these ports:

  • http-metrics (8080): Export metrics to Prometheus services.

smm-prometheus

Used for event monitoring and alerting as part of the prometheus-component. The service uses these ports:

  • http (59090): Default port of the Prometheus service for handing HTTP traffic and queries.

smm-prometheus-operator

The smm-prometheus-operator instance which is the controller of the Prometheus application uses this service. The service uses these ports:

  • http (8080): Incoming webhook traffic and Prometheus exporter for operator metrics.

smm-sre-alert-exporter

Used by the smm-sre-alert-exporter instance. The service uses these ports:

  • http-metrics (8080): Used for exporting Prometheus alerting status as metrics.

smm-sre-api

The smm-sre-api instance uses this service for the GraphQL API. The service uses these ports:

  • http-graphql (80): Handles HTTP traffics and GraphQL queries.

smm-sre-controller

Used by the smm-sre instance, as part of the sre-controller-component. The service uses these ports:

  • http-metrics (8080): Exports metrics to the Prometheus service.

smm-tracing

The Service Mesh Manager uses this service as part of the tracing-component. The service uses these ports:

  • http-query (80): Handles the Jaeger user interface and HTTP API traffic.

smm-vm-integration

The vm-integration instance uses the service for the GraphQL API. The service uses these ports:

  • http (8080): Handles GraphQL API traffic and queries.

  • http-metrics (8081): HTTP metrics from the controller.

  • http-istiostate (8082): Metrics mapping istio resources to together.

smm-web

The Service Mesh Manager uses this service as part of the web-component. The service uses these ports:

  • http (80): Serves static web content used by the Service Mesh Manager dashboard.

  • http-downloads (81): Serves the functionaliy for downloading the SMM binary file and is used by Service Mesh Manager dashboard.

smm-zipkin

The Service Mesh Manager uses this service as part of the tracing-component. The service uses these ports:

  • http (59411): Default Zipkin port for handling HTTP traffic and distributed tracing mechanisms.