Proxy accepting telnet on any port

Hello All,

Running across a particular issue that may not be a full blown issue. We have noticed that our pods in Kubernetes (AKS) with linkerd proxy containers running on them respond with a connection from a telnet to any port. Pulling off the proxy containers nets you “connection refused”.

While I do believe the connection is not passing through to the app container in the pod it does present itself as a blackeye on security scans. Googling netted a big fatty and not much chatter around others bring this topic up. Curious if others have experienced this.

Just to be clear.

Kubernetes defined app services are all internal kube IPs.
The topic is more around the kubernetes endpoints that expose each of the pods to the outside of kubernetes. This is where the scans ding us due to said results earlier.

Would love to engage in some conversation if anyone else has come across this.
Thanks to anyone reading

Hi @Nate11! This is a consequence of the way that Linkerd works—because any application can listen on any port in Kubernetes (i.e. the ports listen in the pod manifest are informative but not restrictive), Linkerd has to be able to accept connections on every port and then attempt to proxy the connection to the backing application.

Since this is ultimately L4 behavior, can you use K8s NetworkPolicies to deny traffic to the unused ports?