Open Port Inventory

A Streaming Data Manager installation requires the following open service ports. Opening only the required ports helps to keep the deployment’s attack surface as small as possible. Each service is described in YAML format, with the list of all the ports and how the service uses them. This helps to understand the risks associated with all the open ports.

Every service is described in a YAML file using the following format:

  namespace: supertubes-system
  name: supertubes-ui-backend
  description: supertubes-ui-backend provides the frontend and graphql API functionality for SDM.
  ports:
    - name: http
      number: 80
      use: Serves both frontend static files and graphql endpoint for the SDM dashboard.

Useful commands

The following commands help you examine the services of your Streaming Data Manager deployment.

List services under supertubes-system namespace:

kubectl get services -n supertubes-system

Inspect a particular service, for example, supertubes-ui-backend:

kubectl describe service supertubes-ui-backend -n supertubes-system

Services (namespace-scoped)

csr-operator-system

The csr-operator-system namespace contains the following services.

csr-operator

Used by the Kubernetes API to send the resource events to the operator. The service uses these ports:

https (443): Handles incoming HTTPS traffic (with TLS) for CSR operator.

csr-operator-authproxy

Acts as the authentication proxy for the csr-operator. The service uses these ports:

https (8443): Authenticated (RBAC or TLS) endpoint for providing access to CSR operator.

istio-system

The istio-system namespace contains the following services.

istio-operator-authproxy

Acts as an authentication proxy to the istio-operator-operator service. The service uses these ports:

https (8443): Authenticated (RBAC or TLS) endpoint for providing access to istio-operator-operator service.

istio-operator-operator

Used by the Kubernetes API to send the resource events to the operator. The service uses these ports:

https (443): Handles incoming HTTPS traffic (with TLS) for Istio operator.

istiod-mymesh

Used by the Istio control plane. The service uses these ports:

grpc-xds (15010): Handles gRPC traffic for xds transport protocol, which is used for Envoy discovery services and Istio proxies.
https-dns (15012): Handles DNS requests (with TLS) for the Istio service-mesh.
https-webhook (443): Handles incoming HTTPS traffic (with TLS) for Istio webhook management.
http-monitoring (15014): Handles HTTP requests or queries for monitoring of the traffic management between microservices.

kafka

The kafka namespace contains the following services.

kafka-0

Provides access to kafka broker with id 0. The service uses these ports:

tcp-internal (29092): Used for Kafka client communication.
tcp-controller (29093): Used for Kafka client communication.
metrics (9020): Used for Prometheus metrics query.

kafka-1

Provides access to kafka broker with id 1. The service uses these ports:

tcp-internal (29092): Used for Kafka client communication.
tcp-controller (29093): Used for Kafka client communication.
metrics (9020): Used for Prometheus metrics query.

kafka-all-broker

Provides access to the kafka cluster as a whole. The service uses these ports:

tcp-internal (29092): Used for Kafka client communication.
tcp-controller (29093): Used for Kafka client communication.

kafka-connect-headless-kafka

Provides access to the Schema registry REST API for clients in case of multiple schema registries. The service uses these ports:

tcp-kfk-conn (8083): Handles standard HTTP traffic for the API.

kafka-connect-svc-kafka

Provides access to the Kafka Connect REST API for clients. The service uses these ports:

tcp-kfk-conn (8083): Handles standard HTTP traffic for the API.
metrics (9020): Used for Prometheus metrics query.

kafka-cruisecontrol-svc

Used by the Koperator to interact with Cruise Control. The service uses these ports:

cc (8090): Handles standard HTTP traffic for Cruise Control.
metrics (9020): Used for Prometheus metrics query.

kafka-kminion

Used by Prometheus to scrape kminion metrics. The service uses these ports:

metrics (8080): Used for Prometheus metrics query.

kafka-operator-alertmanager

Used by Prometheus to send alerts to. The service uses these ports:

http-alerts (9001): Handles HTTP calls for alert management.

kafka-operator-authproxy

Acts as the authentication proxy for koperator. The service uses these ports:

https (8443): Authenticated (RBAC or TLS) endpoint for providing access to koperator.

kafka-operator-operator

Used by the Kubernetes API to send webhook events to. The service uses these ports:

https (443): Handles HTTP traffic for webhook events.

schema-registry-headless-kafka

Provides access to the Schema registry REST API for clients in case of multiple schema registries. The service uses these ports:

tcp-sch-reg (8081): Handles standard HTTP traffic for the API.

schema-registry-svc-kafka

Provides access to the Schema registry REST API for clients. The service uses these ports:

tcp-sch-reg (8081): Handles standard HTTP traffic for the API.
metrics (9020): Used for Prometheus metrics query.

supertubes-system

The supertubes-system namespace contains the following services.

imagepullsecrets-controller

Used by Prometheus to scrape metrics. The service uses these ports:

http-metrics (8080): Used for Prometheus metrics query.

prometheus-operated

Used by the Prometheus instances of SDM. The service uses these ports:

web (9090): Handles normal HTTP traffic and Prometheus queries.

prometheus-operator-grafana

SDM uses the Grafana dashboard monitoring service as part of the grafana-component. The service uses these ports:

service (80): Exposes GraphQL web interface and API endpoints over HTTP.

prometheus-operator-kube-state-metrics

Part of the kubestatemetrics-component. The service uses these ports:

http (8080): Monitoring port for the kube-state-metrics application (HTTP).

prometheus-operator-operator

The controller of the Prometheus application uses this service. The service uses these ports:

https (443): Incoming webhook traffic and Prometheus exporter for operator metrics.

prometheus-operator-prometheus

Used for event monitoring and alerting as part of the prometheus-component. The service uses these ports:

web (9090): Port of the Prometheus service for handing HTTP traffic and queries.

prometheus-operator-prometheus-node-exporter

The Prometheus instances use this service as an exporter for Kubernetes nodes. The service uses these ports:

metrics (9100): Exposes node-level metrics to Prometheus.

supertubes

Used by the Kubernetes API to send webhook events to. The service uses these ports:

https (8443): Authenticated (RBAC or TLS) endpoint for providing access to supertubes.
webhook-server (443): Handles HTTP traffic for webhook events.

supertubes-authproxy

Acts as the authentication proxy for supertubes. The service uses these ports:

https (8443): Authenticated (RBAC or TLS) endpoint for providing access to supertubes.

supertubes-ui-backend

supertubes-ui-backend provides the frontend and graphql API funcionality for SDM. The service uses these ports:

http (80): Serves both frontend static files and graphql endpoint for the SDM dashboard.

zookeeper

The zookeeper namespace contains the following services.

zookeeper-server-admin-server

Used by clients to access the zookeeper admin server. The service uses these ports:

tcp-admin-server (8080): Handles zookeeper admin client traffic.

zookeeper-server-client

Used by clients to access zookeeper. The service uses these ports:

tcp-client (2181): Handles client traffic to zookeeper.

zookeeper-server-headless

Used by the zookepeer nodes for internal operations. The service uses these ports:

tcp-client (2181): Handles client traffic to zookeeper.
tcp-quorum (2888): Handles zookeeper quorum operational traffic.
tcp-leader-election (3888): Handles zookeeper leader election traffic.
tcp-metrics (7000): Handles Prometheus metric scraping.
tcp-admin-server (8080): Handles zookeeper admin client traffic.