How to block TCP ports in MicroK8s proxy - open socket succeeds even when no listener on target device


I’m a developer at IBM, working on the CSI driver (which is the interface to external volume storage - which translates K8S storage operations to storage-specific operations).

Each supported storage-system type operates on a different TCP port, and the driver assumes that if a request to open a TCP connection to a specific management port number succeeds - then the storage is of the type that corresponds to that port number.

There appears to be an issue specific to microk8s (does not reproduce in k8s) - TCP connection open requests always succeed locally, even when the target system doesn’t listen on that port. This confuses the CSI driver auto-detect mechanism, and the external storage becomes un operational.

My questions are:

  • Is this the expected behavior?
  • Is there a way to block a specific port to work around this behavior? (as quick workaround for customers)
  • Is there a way to configure microK8s to only succeed in opening a TCP connection if the target system listens on the port?
    I tried to search the documentation but couldn’t find a configuration setting that does that directly. Here:
    kube-proxy | Kubernetes
    In fact - many of the parameters are explained briefly or not at all.

Thanks in advance for your help.