Skip to content

docs: add host network security#1034

Open
Yu-Jack wants to merge 2 commits into
harvester:mainfrom
Yu-Jack:HARV-5681
Open

docs: add host network security#1034
Yu-Jack wants to merge 2 commits into
harvester:mainfrom
Yu-Jack:HARV-5681

Conversation

@Yu-Jack
Copy link
Copy Markdown
Collaborator

@Yu-Jack Yu-Jack commented Apr 30, 2026
edited
Loading

Problem:

Solution:

Related Issue(s):

harvester/harvester#5681

Test plan:

Technical writer can skip this section.

All tests are tested on two nodes cluster (default role). Although sometimes the logs appear, those are false positives and harmless. We can ignore it.

upgrade (false positive traffic)

I tested the upgrade from v1.7.0 -> v1.7.1 -> v1.8.0 with iptables rules. It works well, but I still put on dropping the rules as the final solution during the upgrade.

v1.7.0 -> v1.7.1 
apiVersion: harvesterhci.io/v1beta1
kind: Upgrade
metadata:
  annotations:
    harvesterhci.io/image-cleanup-plan-completed: "true"
    harvesterhci.io/longhorn-settings-restored: "true"
    harvesterhci.io/replica-replenishment-wait-interval: "600"
  creationTimestamp: "2026-05-04T06:04:04Z"
  finalizers:
  - wrangler.cattle.io/harvester-upgrade-controller
  generateName: hvst-upgrade-
  generation: 26
  labels:
    harvesterhci.io/read-message: "true"
    harvesterhci.io/upgradeCleanup: Succeeded
    harvesterhci.io/upgradeState: Succeeded
  name: hvst-upgrade-4fvmr
  namespace: harvester-system
  resourceVersion: "5062893"
  uid: 1a643106-0c53-4168-9aa2-fd3f9c763b3b
spec:
  image: ""
  logEnabled: false
  version: v1.7.1
status:
  conditions:
  - status: "True"
    type: Completed
  - message: Upgrade observability is administratively disabled
    reason: Disabled
    status: "False"
    type: LogReady
  - status: "True"
    type: ImageReady
  - status: "True"
    type: RepoReady
  - status: "True"
    type: NodesPrepared
  - status: "True"
    type: SystemServicesUpgraded
  - status: "True"
    type: NodesUpgraded
  imageID: harvester-system/hvst-upgrade-4fvmr
  nodeStatuses:
    harvester1:
      state: Succeeded
    harvester2:
      state: Succeeded
  previousVersion: v1.7.0
  repoInfo: |
    release:
      harvester: v1.7.1
      harvesterChart: 1.7.1
      os: Harvester v1.7.1
      kubernetes: v1.34.3+rke2r3
      rancher: v2.13.1
      monitoringChart: 107.1.0+up69.8.2-rancher.15
      minUpgradableVersion: v1.6.0
v1.7.1 -> v1.8.0 
apiVersion: harvesterhci.io/v1beta1
kind: Upgrade
metadata:
  annotations:
    harvesterhci.io/apply-skip-rke2-manifests-plan-completed: "true"
    harvesterhci.io/image-cleanup-plan-completed: "true"
    harvesterhci.io/longhorn-settings-restored: "true"
    harvesterhci.io/remove-skip-rke2-manifests-plan-completed: "true"
    harvesterhci.io/replica-replenishment-wait-interval: "600"
  creationTimestamp: "2026-05-05T04:00:42Z"
  finalizers:
  - wrangler.cattle.io/harvester-upgrade-controller
  generateName: hvst-upgrade-
  generation: 25
  labels:
    harvesterhci.io/latestUpgrade: "true"
    harvesterhci.io/upgradeCleanup: Succeeded
    harvesterhci.io/upgradeState: Succeeded
  name: hvst-upgrade-42ld6
  namespace: harvester-system
  resourceVersion: "5103847"
  uid: 16ae1feb-77e6-464a-b21c-d9284c4d1d1b
spec:
  image: ""
  logEnabled: false
  version: v1.8.0
status:
  conditions:
  - lastUpdateTime: "2026-05-05T04:41:01Z"
    status: "True"
    type: Completed
  - lastUpdateTime: "2026-05-05T04:00:42Z"
    message: Upgrade observability is administratively disabled
    reason: Disabled
    status: "False"
    type: LogReady
  - lastUpdateTime: "2026-05-05T04:03:06Z"
    status: "True"
    type: ImageReady
  - lastUpdateTime: "2026-05-05T04:03:10Z"
    status: "True"
    type: RepoReady
  - lastUpdateTime: "2026-05-05T04:10:21Z"
    status: "True"
    type: NodesPrepared
  - lastUpdateTime: "2026-05-05T04:20:14Z"
    status: "True"
    type: SystemServicesUpgraded
  - lastUpdateTime: "2026-05-05T04:41:01Z"
    status: "True"
    type: NodesUpgraded
  imageID: harvester-system/hvst-upgrade-42ld6
  nodeStatuses:
    harvester1:
      state: Succeeded
    harvester2:
      state: Succeeded
  previousVersion: v1.7.1
  repoInfo: |
    release:
      harvester: v1.8.0
      harvesterChart: 1.8.0
      os: Harvester v1.8.0
      kubernetes: v1.35.2+rke2r1
      rancher: v2.14.0
      monitoringChart: 108.0.2+up77.9.1-rancher.11
      minUpgradableVersion: v1.7.0

After the upgrade, these logs will show up. But, these are false positives.

harvester1:/home/rancher # journalctl -k -f | grep HARVESTER_DROP
May 05 04:40:28 harvester1 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ef:52:54:00:ab:cd:ea:08:00 SRC=192.168.122.62 DST=192.168.122.61 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=10250 DPT=56266 WINDOW=0 RES=0x00 ACK RST URGP=0

---
harvester2:/home/rancher # journalctl -k -f | grep HARVESTER_DROP
May 05 04:43:35 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=64631 DF PROTO=TCP SPT=6443 DPT=43707 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:43:35 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1327 TOS=0x00 PREC=0x00 TTL=64 ID=4664 DF PROTO=TCP SPT=6443 DPT=61844 WINDOW=344 RES=0x00 ACK PSH URGP=0
May 05 04:43:35 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=18677 DF PROTO=TCP SPT=6443 DPT=27580 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:44:28 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=1330 DF PROTO=TCP SPT=6443 DPT=37871 WINDOW=438 RES=0x00 ACK URGP=0
May 05 04:45:38 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=18678 DF PROTO=TCP SPT=6443 DPT=27580 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:45:38 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=64632 DF PROTO=TCP SPT=6443 DPT=43707 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:46:31 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=1331 DF PROTO=TCP SPT=6443 DPT=37871 WINDOW=438 RES=0x00 ACK URGP=0
May 05 04:47:41 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=18679 DF PROTO=TCP SPT=6443 DPT=27580 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:47:41 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=64633 DF PROTO=TCP SPT=6443 DPT=43707 WINDOW=352 RES=0x00 ACK URGP=0
May 05 04:48:34 harvester2 kernel: HARVESTER_DROP_IN=mgmt-br OUT= MAC=52:54:00:ab:cd:ea:52:54:00:ab:cd:ef:08:00 SRC=192.168.122.61 DST=192.168.122.62 LEN=1450 TOS=0x00 PREC=0x00 TTL=64 ID=1332 DF PROTO=TCP SPT=6443 DPT=37871 WINDOW=438 RES=0x00 ACK URGP=0

storage network (no missing traffic)

apiVersion: harvesterhci.io/v1beta1
kind: Setting
metadata:
  annotations:
    storage-network.settings.harvesterhci.io/hash: 23f9663855ef7f383dcfd46ac477431db1890ccc
    storage-network.settings.harvesterhci.io/net-attach-def: harvester-system/storagenetwork-ghzgp
    storage-network.settings.harvesterhci.io/old-net-attach-def: ""
  creationTimestamp: "2026-04-30T08:28:20Z"
  generation: 6
  name: storage-network
  resourceVersion: "5183957"
  uid: 2f9fcbe8-415f-40fc-aecc-247b9958ba0c
status:
  conditions:
  - lastUpdateTime: "2026-05-05T06:18:36Z"
    reason: Completed
    status: "True"
    type: configured
value: '{"vlan":2,"clusterNetwork":"mgmt","range":"172.16.0.0/24"}'
image 
harvester1:/home/rancher # tcpdump -i mgmt-br -en 'vlan 2 and tcp port 6000'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on mgmt-br, link-type EN10MB (Ethernet), snapshot length 262144 bytes

06:33:41.335810 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 78: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [S], seq 197059806, win 64240, options [mss 1460,sackOK,TS val 567497556 ecr 0,nop,wscale 7], length 0
06:33:41.336223 aa:2f:ea:f3:8f:84 > f6:b9:cc:80:40:2f, ethertype 802.1Q (0x8100), length 78: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.4.6000 > 172.16.0.1.40366: Flags [S.], seq 4248437737, ack 197059807, win 65160, options [mss 1460,sackOK,TS val 4116250744 ecr 567497556,nop,wscale 7], length 0
06:33:41.336275 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [.], ack 1, win 502, options [nop,nop,TS val 567497557 ecr 4116250744], length 0
06:33:41.336495 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 149: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [P.], seq 1:80, ack 1, win 502, options [nop,nop,TS val 567497557 ecr 4116250744], length 79
06:33:41.336817 aa:2f:ea:f3:8f:84 > f6:b9:cc:80:40:2f, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.4.6000 > 172.16.0.1.40366: Flags [.], ack 80, win 509, options [nop,nop,TS val 4116250745 ecr 567497557], length 0
06:33:41.339062 aa:2f:ea:f3:8f:84 > f6:b9:cc:80:40:2f, ethertype 802.1Q (0x8100), length 226: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.4.6000 > 172.16.0.1.40366: Flags [P.], seq 1:157, ack 80, win 509, options [nop,nop,TS val 4116250747 ecr 567497557], length 156
06:33:41.339064 aa:2f:ea:f3:8f:84 > f6:b9:cc:80:40:2f, ethertype 802.1Q (0x8100), length 1125: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.4.6000 > 172.16.0.1.40366: Flags [FP.], seq 157:1212, ack 80, win 509, options [nop,nop,TS val 4116250747 ecr 567497557], length 1055
06:33:41.339090 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [.], ack 157, win 501, options [nop,nop,TS val 567497560 ecr 4116250747], length 0
06:33:41.339093 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [.], ack 1213, win 524, options [nop,nop,TS val 567497560 ecr 4116250747], length 0
06:33:41.339239 f6:b9:cc:80:40:2f > aa:2f:ea:f3:8f:84, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.1.40366 > 172.16.0.4.6000: Flags [F.], seq 80, ack 1213, win 524, options [nop,nop,TS val 567497560 ecr 4116250747], length 0
06:33:41.339382 aa:2f:ea:f3:8f:84 > f6:b9:cc:80:40:2f, ethertype 802.1Q (0x8100), length 70: vlan 2, p 0, ethertype IPv4 (0x0800), 172.16.0.4.6000 > 172.16.0.1.40366: Flags [.], ack 81, win 509, options [nop,nop,TS val 4116250748 ecr 567497560], length 0

kubeovn

VM communication

Before:

image

After:

node1:
image

node2:
image

e2e api test

image

Guest Cluster

image image image

Additional documentation or context

@Yu-Jack Yu-Jack mentioned this pull request Apr 30, 2026
Open
@Yu-Jack Yu-Jack changed the title Harv 5681 docs: add host security Apr 30, 2026
@Yu-Jack Yu-Jack changed the title docs: add host security docs: add host network security Apr 30, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 30, 2026
edited
Loading

Name Link
🔨 Latest commit 9f07310
😎 Deploy Preview https://69fbfe86c0db7a9d001b4734--harvester-preview.netlify.app

@Yu-Jack Yu-Jack force-pushed the HARV-5681 branch 4 times, most recently from 0cd7a79 to 8c6d767 Compare May 6, 2026 08:39
@Yu-Jack Yu-Jack marked this pull request as ready for review May 6, 2026 09:10
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds new documentation for hardening Harvester host inbound traffic using iptables, and updates the installation “Network Requirements” page to provide a more structured, role-specific port matrix (including addon port tables).

Changes:

  • Added a new “Host Network Security” page describing an iptables chain approach, CloudInit persistence, and troubleshooting/upgrade considerations.
  • Refactored “Network Requirements” to list inbound ports per node role, including bind-address context and an addon-specific port section (kubeovn-operator).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.

File Description
docs/networking/host-network-security.md New page documenting iptables-based host inbound filtering, CloudInit persistence, and debugging guidance.
docs/install/requirements.md Replaces the legacy port list with role-specific port tables and adds addon port requirements tables.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/networking/host-network-security.md Outdated
Comment thread docs/networking/host-network-security.md Outdated
Comment thread docs/networking/host-network-security.md
Comment thread docs/networking/host-network-security.md Outdated
Comment thread docs/networking/host-network-security.md
Comment thread docs/install/requirements.md Outdated
Yu-Jack added 2 commits May 7, 2026 10:46
@Yu-Jack
docs: update network requirement
4645eb1 
Signed-off-by: Jack Yu <jack.yu@suse.com>
@Yu-Jack
docs: add host network security
9f07310 
Signed-off-by: Jack Yu <jack.yu@suse.com>
pohanhuang
pohanhuang reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@pohanhuang pohanhuang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from a documentation structure perspective.
I'm not familiar with the iptables/networking area, so I'll defer to the networking folks for a deeper review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pohanhuang pohanhuang pohanhuang left review comments

Copilot code review Copilot Copilot left review comments

@starbops starbops Awaiting requested review from starbops

@ibrokethecloud ibrokethecloud Awaiting requested review from ibrokethecloud

@rrajendran17 rrajendran17 Awaiting requested review from rrajendran17

At least 1 approving review is required to merge this pull request.

Assignees

@Yu-Jack Yu-Jack

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Yu-Jack @pohanhuang