Is there a way to open ports for incoming BGP requests? (port 179) #9114
-
Hi everyone, I'm configuring cluster to allow incoming connections on port 179 for BGP (Border Gateway Protocol) using Cilium as the CNI. Talos configuration: ---
apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: accept
---
apiVersion: v1alpha1
kind: NetworkRuleConfig
name: bgp-ingress
portSelector:
ports:
- 179
protocol: tcp
ingress:
- subnet: 0.0.0.0/0
Cilium configuration: ---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPClusterConfig
metadata:
name: cilium-bgp
spec:
nodeSelector:
matchLabels:
rack: rack0
bgpInstances:
- name: "instance-a"
localASN: a
peers:
- name: "peer-a"
peerASN: 64515
peerAddress: 169.254.169.254
peerConfigRef:
name: "cilium-peer"
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPPeerConfig
metadata:
name: cilium-peer
spec:
authSecretRef: vultr-bgp-auth-secret
gracefulRestart:
enabled: true
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPNodeConfigOverride
metadata:
name: vultr-worker1
spec:
bgpInstances:
- name: "instance-a"
routerID: "199.247.31.65"
localPort: 179
peers:
- name: "peer-a"
localAddress: 169.254.169.254
Any advice or steps to resolve this issue would be greatly appreciated! Thanks in advance. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
Your default talos rule is to accept, so by then specifying a bgp rule, you
are telling it to block bog….
You could omit the NetworkRuleConfig and it will allow byo (and everything
else) from talos side
…On Mon, Aug 5, 2024 at 11:14 AM Kapustin Yaroslav ***@***.***> wrote:
Hi everyone,
I'm configuring cluster to allow incoming connections on port 179 for BGP
(Border Gateway Protocol) using Cilium as the CNI.
I've tried already to open ports using Talos and Cilium, but still ports
seems to be closed.
Talos configuration:
---apiVersion: v1alpha1kind: NetworkDefaultActionConfigingress: accept
---apiVersion: v1alpha1kind: NetworkRuleConfigname: bgp-ingressportSelector:
ports:
- 179
protocol: tcpingress:
- subnet: 0.0.0.0/0
Cilium configuration:
---apiVersion: cilium.io/v2alpha1kind: CiliumBGPClusterConfigmetadata:
name: cilium-bgpspec:
nodeSelector:
matchLabels:
rack: rack0
bgpInstances:
- name: "instance-a"
localASN: a
peers:
- name: "peer-a"
peerASN: 64515
peerAddress: 169.254.169.254
peerConfigRef:
name: "cilium-peer"
---apiVersion: cilium.io/v2alpha1kind: CiliumBGPPeerConfigmetadata:
name: cilium-peerspec:
authSecretRef: vultr-bgp-auth-secret
gracefulRestart:
enabled: true
---apiVersion: cilium.io/v2alpha1kind: CiliumBGPNodeConfigOverridemetadata:
name: vultr-worker1spec:
bgpInstances:
- name: "instance-a"
routerID: "199.247.31.65"
localPort: 179
peers:
- name: "peer-a"
localAddress: 169.254.169.254
Any advice or steps to resolve this issue would be greatly appreciated!
Thanks in advance.
—
Reply to this email directly, view it on GitHub
<#9114>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQGWG5LUNDAK7AQCDPB3ZY3ZP66HPAVCNFSM6AAAAABMAZG4AOVHI2DSMVQWIX3LMV43ERDJONRXK43TNFXW4OZXGAYTKNJTGU>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
If you default policy is |
Beta Was this translation helpful? Give feedback.
To make it more clear - Talos by default doesn't block any network communication, so you can drop all ingress firewall rules to be extra sure it's not Talos