servicelb bypassing node's firewall

[tymur999]

I have deployed an email server on my cluster through ServiceLB and have disallowed port 25 on some nodes, yet I am still able to connect to the email server on those nodes.

I am using UFW with iptables backend, so I assume that the iptable block is being overwritten by the forwarding done by ServiceLB.

Is there any way to restrict this specific loadbalancer instance to attach to certain nodes, or to ensure the firewall still works even with ServiceLB?

[tymur999]

I have found this section in the k3s website that allows assigning an LB to certain nodes

Creating ServiceLB Node Pools

To select a particular subset of nodes to host pods for a LoadBalancer, add the enablelb label to the desired nodes, and set matching lbpool label values on the Nodes and Services. For example:

Label Node A and Node B with svccontroller.k3s.cattle.io/lbpool=pool1 and svccontroller.k3s.cattle.io/enablelb=true
Label Node C and Node D with svccontroller.k3s.cattle.io/lbpool=pool2 and svccontroller.k3s.cattle.io/enablelb=true
Create one LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool1. The DaemonSet for this service only deploy Pods to Node A and Node B.
Create another LoadBalancer Service on port 443 with label svccontroller.k3s.cattle.io/lbpool=pool2. The DaemonSet will only deploy Pods to Node C and Node D.

However I would like to also to assign an LB to all nodes without firewall rules being overwritten. Is this possible?

[dereknola]

K3s uses iptables for the forwarding with both servicelb as well as kube-proxy and the CNI itself like flannel. It does not play nicely with UFW or other firewalls and does not consider them when making rules.