Firewall
Firewall setup for various components
To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below.
Firewall rules for Kubernetes node
Set up firewall rules on each node according to the following table.
TCP
22
Public/Internet
SSH
TCP
80
Public/Internet
HTTP
TCP
443
Public/Internet
HTTPS
TCP
5432
Intranet
Postgres
TCP
9345
Intranet
RKE
TCP
6443
Intranet
K8s API
UDP
8472
Intranet
K8s Flannel VXLAN
TCP
10250
Intranet
kubelet
TCP
2379
Intranet
etcd client
TCP
2380
Intranet
etcd peer
TCP
9796
Intranet
Prometheus
TCP
30000:32767
Intranet
K8s NodePort
Firewall rules for Load Balancer
TCP
22
Public/Internet
SSH
TCP
80
Public/Internet
HTTP
TCP
443
Public/Internet
HTTPS
TCP
5432
Intranet
Postgres
Firewall rules for Wireguard
TCP
22
Public/Internet
SSH
UDP
51820-5182n
Public/Internet
Multiple Wireguard servers
Firewall rules for NFS
TCP
22
Public/Internet
SSH
TCP
2049
Intranet
NFS server
Firewall setup
The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on)
Using Ansible
On your machine install
ansibleMake sure you have SSH access to all nodes of the cluster
Create
hosts.inifile. Sample given here.Copy
ports.yamlfile and inspect for any changes w.r.t to above table.Run
Manual
You can use
ufwto set up the firewall on each cluster node.SSH into each node, and change to superuser
Run the following command for each rule in the above table
Example:
Enable ufw:
Additional Reference: RKE2 Networking Requirements
Last updated
