Longhorn Networking
This page documents the networking communication between components in the Longhorn system. Using this information, users can write Kubernetes NetworkPolicy to control the inbound/outbound traffic to/from Longhorn components. This helps to reduce the damage when a malicious pod breaks into the in-cluster network.
The helm chart will install NetworkPolicy objects when the networkPolicies.enabled value is set to true
.
The manifests of these objects can be viewed in the git repository.
Note that depending on the deployed CNI, not all Kubernetes clusters support NetworkPolicy.
See the Kubernetes documentation for details.
Note: If you are writing network policies, please revisit this page before upgrading Longhorn to make the necessary adjustments to your network policies. Note: Depending on your CNI for cluster network, there might be some delay when Kubernetes applying netowk policies to the pod. This delay may fail Longhorn recurring job for taking Snapshot or Backup of the Volume since it cannot access longhorn-manager in the beginning. This is a known issue found in K3s with Traefik and is beyond Longhorn control.
From | Port | Protocol |
---|---|---|
Other Longhorn Manager | 9500 | TCP |
UI | 9500 | TCP |
Longhorn CSI plugin | 9500 | TCP |
Backup/Snapshot Recurring Job Pod | 9500 | TCP |
Longhorn Driver Deployer | 9500 | TCP |
Conversion Webhook Server | 9501 | TCP |
Admission Webhook Server | 9502 | TCP |
Recovery Backend Server | 9503 | TCP |
To | Port | Protocol |
---|---|---|
Other Longhorn Manager | 9500 | TCP |
Instance Manager | 8500 (process-manager service); 8501 (proxy service); 8502 (disk service); 8503 (instance service); 8504 (spdk service) | TCP |
Backing Image Manager | 8000 | TCP |
Backing Image Data Source | 8000 | TCP |
External Backupstore | User defined | TCP |
Kubernetes API server | Kubernetes API server port | TCP |
Users defined
To | Port | Protocol |
---|---|---|
Longhorn Manager | 9500 | TCP |
From | Port | Protocol |
---|---|---|
Longhorn Manager | 8500 (process-manager service); 8501 (proxy service); 8502 (disk service); 8503 (instance service); 8504 (spdk service) | TCP |
Other Instance Manager | 10000-30000 | TCP |
Node in the Cluster | 3260 | TCP |
Backing Image Data Source | 10000-30000 | TCP |
To | Port | Protocol |
---|---|---|
Other Instance Manager | 10000-30000 | TCP |
Backing Image Data Source | 8002 | TCP |
External Backupstore | User defined | TCP |
None
To | Port | Protocol |
---|---|---|
Longhorn Manager | 9500 | TCP |
Longhorn CSI plugin
pods communitate with CSI sidecar
pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock
None
To | Port | Protocol |
---|---|---|
Kubernetes API server | Kubernetes API server port | TCP |
CSI sidecar
pods communitate with Longhorn CSI plugin
pods over the Unix Domain Socket at <Kuberlet-Directory>/plugins/driver.longhorn.io/csi.sock
None
To | Port | Protocol |
---|---|---|
Longhorn Manager | 9500 | TCP |
Kubernetes API server | Kubernetes API server port | TCP |
None
None
From | Port | Protocol |
---|---|---|
Longhorn Manager | 8000 | TCP |
Other Backing Image Manager | 30001-31000 | TCP |
To | Port | Protocol |
---|---|---|
Instance Manager | 10000-30000 | TCP |
Other Backing Image Manager | 30001-31000 | TCP |
Backing Image Data Source | 8000 | TCP |
From | Port | Protocol |
---|---|---|
Longhorn Manager | 8000 | TCP |
Instance Manager | 8002 | TCP |
Backing Image Manager | 8000 | TCP |
To | Port | Protocol |
---|---|---|
Instance Manager | 10000-30000 | TCP |
User provided server IP to download the images from | user defined | TCP |
From | Port | Protocol |
---|---|---|
Node in the cluster | 2049 | TCP |
None
None
To | Port | Protocol |
---|---|---|
Longhorn Manager | 9500 | TCP |
None
To | Port | Protocol |
---|---|---|
Kubernetes API server | Kubernetes API server port | TCP |
None
None
Original GitHub issue: https://github.com/longhorn/longhorn/issues/1805
© 2019-2024 Longhorn Authors | Documentation Distributed under CC-BY-4.0
© 2024 The Linux Foundation. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.