Open Port Inventory
A Streaming Data Manager installation requires the following open service ports. Opening only the required ports helps to keep the deployment’s attack surface as small as possible. Each service is described in YAML format, with the list of all the ports and how the service uses them. This helps to understand the risks associated with all the open ports.
Every service is described in a YAML file using the following format:
namespace: supertubes-system
name: supertubes-ui-backend
description: supertubes-ui-backend provides the frontend and graphql API functionality for SDM.
ports:
- name: http
number: 80
use: Serves both frontend static files and graphql endpoint for the SDM dashboard.
Useful commands
The following commands help you examine the services of your Streaming Data Manager deployment.
List services under supertubes-system
namespace:
kubectl get services -n supertubes-system
Inspect a particular service, for example, supertubes-ui-backend
:
kubectl describe service supertubes-ui-backend -n supertubes-system
Services (namespace-scoped)
csr-operator-system
The csr-operator-system namespace contains the following services.csr-operator
Used by the Kubernetes API to send the resource events to the operator. The service uses these ports:
-
https (443): Handles incoming HTTPS traffic (with TLS) for CSR operator.
csr-operator-authproxy
Acts as the authentication proxy for the csr-operator. The service uses these ports:
-
https (8443): Authenticated (RBAC or TLS) endpoint for providing access to CSR operator.
istio-system
The istio-system namespace contains the following services.istio-operator-authproxy
Acts as an authentication proxy to the istio-operator-operator service. The service uses these ports:
-
https (8443): Authenticated (RBAC or TLS) endpoint for providing access to istio-operator-operator service.
istio-operator-operator
Used by the Kubernetes API to send the resource events to the operator. The service uses these ports:
-
https (443): Handles incoming HTTPS traffic (with TLS) for Istio operator.
istiod-mymesh
Used by the Istio control plane. The service uses these ports:
-
grpc-xds (15010): Handles gRPC traffic for xds transport protocol, which is used for Envoy discovery services and Istio proxies.
-
https-dns (15012): Handles DNS requests (with TLS) for the Istio service-mesh.
-
https-webhook (443): Handles incoming HTTPS traffic (with TLS) for Istio webhook management.
-
http-monitoring (15014): Handles HTTP requests or queries for monitoring of the traffic management between microservices.
kafka
The kafka namespace contains the following services.kafka-0
Provides access to kafka broker with id 0. The service uses these ports:
-
tcp-internal (29092): Used for Kafka client communication.
-
tcp-controller (29093): Used for Kafka client communication.
-
metrics (9020): Used for Prometheus metrics query.
kafka-1
Provides access to kafka broker with id 1. The service uses these ports:
-
tcp-internal (29092): Used for Kafka client communication.
-
tcp-controller (29093): Used for Kafka client communication.
-
metrics (9020): Used for Prometheus metrics query.
kafka-all-broker
Provides access to the kafka cluster as a whole. The service uses these ports:
-
tcp-internal (29092): Used for Kafka client communication.
-
tcp-controller (29093): Used for Kafka client communication.
kafka-connect-headless-kafka
Provides access to the Schema registry REST API for clients in case of multiple schema registries. The service uses these ports:
-
tcp-kfk-conn (8083): Handles standard HTTP traffic for the API.
kafka-connect-svc-kafka
Provides access to the Kafka Connect REST API for clients. The service uses these ports:
-
tcp-kfk-conn (8083): Handles standard HTTP traffic for the API.
-
metrics (9020): Used for Prometheus metrics query.
kafka-cruisecontrol-svc
Used by the Koperator to interact with Cruise Control. The service uses these ports:
-
cc (8090): Handles standard HTTP traffic for Cruise Control.
-
metrics (9020): Used for Prometheus metrics query.
kafka-kminion
Used by Prometheus to scrape kminion metrics. The service uses these ports:
-
metrics (8080): Used for Prometheus metrics query.
kafka-operator-alertmanager
Used by Prometheus to send alerts to. The service uses these ports:
-
http-alerts (9001): Handles HTTP calls for alert management.
kafka-operator-authproxy
Acts as the authentication proxy for koperator. The service uses these ports:
-
https (8443): Authenticated (RBAC or TLS) endpoint for providing access to koperator.
kafka-operator-operator
Used by the Kubernetes API to send webhook events to. The service uses these ports:
-
https (443): Handles HTTP traffic for webhook events.
schema-registry-headless-kafka
Provides access to the Schema registry REST API for clients in case of multiple schema registries. The service uses these ports:
-
tcp-sch-reg (8081): Handles standard HTTP traffic for the API.
schema-registry-svc-kafka
Provides access to the Schema registry REST API for clients. The service uses these ports:
-
tcp-sch-reg (8081): Handles standard HTTP traffic for the API.
-
metrics (9020): Used for Prometheus metrics query.
supertubes-system
The supertubes-system namespace contains the following services.imagepullsecrets-controller
Used by Prometheus to scrape metrics. The service uses these ports:
-
http-metrics (8080): Used for Prometheus metrics query.
prometheus-operated
Used by the Prometheus instances of SDM. The service uses these ports:
-
web (9090): Handles normal HTTP traffic and Prometheus queries.
prometheus-operator-grafana
SDM uses the Grafana dashboard monitoring service as part of the grafana-component. The service uses these ports:
-
service (80): Exposes GraphQL web interface and API endpoints over HTTP.
prometheus-operator-kube-state-metrics
Part of the kubestatemetrics-component. The service uses these ports:
-
http (8080): Monitoring port for the kube-state-metrics application (HTTP).
prometheus-operator-operator
The controller of the Prometheus application uses this service. The service uses these ports:
-
https (443): Incoming webhook traffic and Prometheus exporter for operator metrics.
prometheus-operator-prometheus
Used for event monitoring and alerting as part of the prometheus-component. The service uses these ports:
-
web (9090): Port of the Prometheus service for handing HTTP traffic and queries.
prometheus-operator-prometheus-node-exporter
The Prometheus instances use this service as an exporter for Kubernetes nodes. The service uses these ports:
-
metrics (9100): Exposes node-level metrics to Prometheus.
supertubes
Used by the Kubernetes API to send webhook events to. The service uses these ports:
-
https (8443): Authenticated (RBAC or TLS) endpoint for providing access to supertubes.
-
webhook-server (443): Handles HTTP traffic for webhook events.
supertubes-authproxy
Acts as the authentication proxy for supertubes. The service uses these ports:
-
https (8443): Authenticated (RBAC or TLS) endpoint for providing access to supertubes.
supertubes-ui-backend
supertubes-ui-backend provides the frontend and graphql API funcionality for SDM. The service uses these ports:
-
http (80): Serves both frontend static files and graphql endpoint for the SDM dashboard.
zookeeper
The zookeeper namespace contains the following services.zookeeper-server-admin-server
Used by clients to access the zookeeper admin server. The service uses these ports:
-
tcp-admin-server (8080): Handles zookeeper admin client traffic.
zookeeper-server-client
Used by clients to access zookeeper. The service uses these ports:
-
tcp-client (2181): Handles client traffic to zookeeper.
zookeeper-server-headless
Used by the zookepeer nodes for internal operations. The service uses these ports:
-
tcp-client (2181): Handles client traffic to zookeeper.
-
tcp-quorum (2888): Handles zookeeper quorum operational traffic.
-
tcp-leader-election (3888): Handles zookeeper leader election traffic.
-
tcp-metrics (7000): Handles Prometheus metric scraping.
-
tcp-admin-server (8080): Handles zookeeper admin client traffic.