Firewall
Firewall setup for Kubernetes cluster nodes
To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below.
Firewall rules
Set up firewall rules on each node according to the following table.
Protocol | Port | Should be accessible by only | Description |
---|---|---|---|
TCP | 22 | SSH | |
TCP | 80 | Postgres ports | |
TCP | 443 | Postgres ports | |
TCP | 5432 | Postgres port | |
TCP | 9345 | RKE2 agent nodes | Kubernetes API |
TCP | 6443 | RKE2 agent nodes | Kubernetes API |
UDP | 8472 | RKE2 server and agent nodes | Required only for Flannel VXLAN |
TCP | 10250 | RKE2 server and agent nodes | kubelet |
TCP | 2379 | RKE2 server nodes | etcd client port |
TCP | 2380 | RKE2 server nodes | etcd peer port |
TCP | 9796 | Cluster nodes over internal network. | Prometheus metrics |
TCP | 30000:32767 | RKE2 server and agent nodes | NodePort port range |
Firewall setup
The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on)
Using Ansible
On your machine install
ansible
Make sure you have SSH access to all nodes of the cluster
Create
hosts.ini
file. Sample given here.Copy
ports.yaml
file and inspect for any changes w.r.t to above table.Run
Manual
You can use
ufw
to set up the firewall on each cluster node.SSH into each node, and change to superuser
Run the following command for each rule in the above table
Example:
Enable ufw:
Additional Reference: RKE2 Networking Requirements
Last updated