TCP listen on port 9253 on all interface addresses creates security vulnerability

[amshankaran]

K8s cluster is installed on VMs/worker nodes having multiple interfaces. Couple of interfaces have external connectivity towards DC-GW. dns-node-cache (node-local-dns) listens on 9253 for prometheus. But this TCP listens on all the interfaces including external interfaces.
This makes cluster vulnerable to DoS attack.

worker-pool1-z92h78yx-stack:~ # lsof -i -n -P | grep :9253
node-cach 4720 root 8u IPv6 41286 0t0 TCP *:9253 (LISTEN)

As per prometheus plugins suggestion, if we configure an IP address, X.X.X.X:9253 it will be specific to the particular node with address X.X.X.X. In a multi-node cluster, this configuration in configmap will fail the bind with node address Y.Y.Y.Y

A configuration required to Listen on nodes InternalIP, which can solve this issue. (InternalIP:9253)

[amshankaran]

corefile.txt
Attaching the node-local-dns corefile

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[dpasiukevich]

/remove-lifecycle stale
/help

[k8s-ci-robot]

@dpasiukevich:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

Details

In response to this:

/remove-lifecycle stale
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Goend]

@amshankaran you can close by set args

args: [ "-localip", "169.254.20.10,{{ skydns_server }}", "-conf", "/etc/Corefile","-metrics-listen-address", "0", "-upstreamsvc", "kube-dns-upstream" ]