I have a k8s cluster running a Service behind an Ingress with an external HTTPS load balancer and I have Identity-aware proxy protecting my system. The ingress has a public IP and when I scan it with nmap I see the following open ports:
PORT STATE SERVICE
43/tcp open whois
53/tcp open domain
80/tcp open http
83/tcp open mit-ml-dev
84/tcp open ctf
85/tcp open mit-ml-dev
89/tcp open su-mit-tg
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
700/tcp open epp
993/tcp open imaps
995/tcp open pop3s
1084/tcp open ansoft-lm-2
1085/tcp open webobjects
1089/tcp open ff-annunc
1443/tcp open ies-lm
1935/tcp open rtmp
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5432/tcp open postgresql
5900/tcp open vnc
5901/tcp open vnc-1
5999/tcp open ncd-conf
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8085/tcp open unknown
8086/tcp open d-s-n
8088/tcp open radan-http
8089/tcp open unknown
8090/tcp open opsmessaging
8099/tcp open unknown
9100/tcp open jetdirect
9200/tcp open wap-wsp
20000/tcp open dnp
30000/tcp open ndmps
My question is why are all these ports open, is it open from the IAP and if so is this why I'm able to scan what seems to be the Ingress IP without authentication, and ultimately can I close all but the HTTP/S ports for security? If it is the IAP, perhaps these need to be open to forward different traffic for different services that MAY be available but that are not in my cluster; does that explain this?
Any hints would be lovely, I've RTFMed and everything about the Ingress seems to point to it only accepting HTTP/S traffic and forwarding to the Service/Deployment. Is this IAP that is leaving these ports open or is it truly on Ingress? It is the IP address associated with the Ingress. Do I need to add a FrontendConfig to my cluster to configure Ingress to have these ports closed?
Thanks in advance!
