Longhorn Networking

Overview

This page documents the networking communication between components in the Longhorn system. Using this information, users can write Kubernetes NetworkPolicy to control the inbound/outbound traffic to/from Longhorn components. This helps to reduce the damage when a malicious pod breaks into the in-cluster network.

We have provided some NetworkPolicy example yamls at here. Or you can enable the setting in the helm chart to install these NetworkPolicy [https://github.com/longhorn/longhorn/blob/master/chart/values.yaml] Note that depending on the deployed CNI, not all Kubernetes clusters support NetworkPolicy. See here for more detail.

Note: If you are writing network policies, please revisit this page before upgrading Longhorn to make the necessary adjustments to your network policies. Note: Depending on your CNI for cluster network, there might be some delay when Kubernetes applying netowk policies to the pod. This delay may fail Longhorn recurring job for taking Snapshot or Backup of the Volume since it cannot access longhorn-manager in the beginning. This is a known issue found in K3s with Traefik and is beyond Longhorn control.

Longhorn Manager

Ingress:

FromPortProtocol
Other Longhorn Manager9500TCP
UI9500TCP
Longhorn CSI plugin9500TCP
Backup/Snapshot Recurring Job Pod9500TCP
Longhorn Driver Deployer9500TCP
Conversion Webhook Server9501TCP
Admission Webhook Server9502TCP
Recovery Backend Server9503TCP

Egress:

ToPortProtocol
Other Longhorn Manager9500TCP
Instance Manager8500; 8501TCP
Backing Image Manager8000TCP
Backing Image Data Source8000TCP
External BackupstoreUser definedTCP
Kubernetes API serverKubernetes API server portTCP

UI

ingress:

Users defined

egress:

ToPortProtocol
Longhorn Manager9500TCP

Instance Manager

ingress

FromPortProtocol
Longhorn Manager8500; 8501TCP
Other Instance Manager10000-30000TCP
Node in the Cluster3260TCP
Backing Image Data Source10000-30000TCP

egress:

ToPortProtocol
Other Instance Manager10000-30000TCP
Backing Image Data Source8002TCP
External BackupstoreUser definedTCP

Longhorn CSI plugin

ingress

None

egress:

ToPortProtocol
Longhorn Manager9500TCP

Additional Info

Longhorn CSI plugin pods communitate with CSI sidecar pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

CSI sidecar (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter)

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

Additional Info

CSI sidecar pods communitate with Longhorn CSI plugin pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock

Driver deployer

ingress:

None

egress:

ToPortProtocol
Longhorn Manager9500TCP
Kubernetes API serverKubernetes API server portTCP

Engine Image

ingress:

None

egress:

None

Backing Image Manager

ingress:

FromPortProtocol
Longhorn Manager8000TCP
Other Backing Image Manager30001-31000TCP

egress:

ToPortProtocol
Instance Manager10000-30000TCP
Other Backing Image Manager30001-31000TCP
Backing Image Data Source8000TCP

Backing Image Data Source

ingress:

FromPortProtocol
Longhorn Manager8000TCP
Instance Manager8002TCP
Backing Image Manager8000TCP

egress:

ToPortProtocol
Instance Manager10000-30000TCP
User provided server IP to download the images fromuser definedTCP

Share Manager

ingress

FromPortProtocol
Node in the cluster2049TCP

egress:

None

Backup/Snapshot Recurring Job Pod

ingress:

None

egress:

ToPortProtocol
Longhorn Manager9500TCP

Uninstaller

ingress:

None

egress:

ToPortProtocol
Kubernetes API serverKubernetes API server portTCP

Discover Proc Kubelet Cmdline

ingress:

None

egress:

None


Original GitHub issue: https://github.com/longhorn/longhorn/issues/1805


© 2019-2024 Longhorn Authors | Documentation Distributed under CC-BY-4.0


© 2024 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.