Firewall
Firewall setup for various components
To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below.
Firewall rules for Kubernetes node
Set up firewall rules on each node according to the following table.
| Protocol | Port | Access | Purpose |
|---|---|---|---|
TCP | 22 | Public/Internet | SSH |
TCP | 80 | Public/Internet | HTTP |
TCP | 443 | Public/Internet | HTTPS |
TCP | 5432 | Intranet | Postgres |
TCP | 9345 | Intranet | RKE |
TCP | 6443 | Intranet | K8s API |
UDP | 8472 | Intranet | K8s Flannel VXLAN |
TCP | 10250 | Intranet | kubelet |
TCP | 2379 | Intranet | etcd client |
TCP | 2380 | Intranet | etcd peer |
TCP | 9796 | Intranet | Prometheus |
TCP | 30000:32767 | Intranet | K8s NodePort |
Firewall rules for Load Balancer
| Protocol | Port | Access | Purpose |
|---|---|---|---|
TCP | 22 | Public/Internet | SSH |
TCP | 80 | Public/Internet | HTTP |
TCP | 443 | Public/Internet | HTTPS |
TCP | 5432 | Intranet | Postgres |
Firewall rules for Wireguard
| Protocol | Port | Access | Purpose |
|---|---|---|---|
TCP | 22 | Public/Internet | SSH |
UDP | 51820-5182n | Public/Internet | Multiple Wireguard servers |
Firewall rules for NFS
| Protocol | Port | Access | Purpose |
|---|---|---|---|
TCP | 22 | Public/Internet | SSH |
TCP | 2049 | Intranet | NFS server |
Firewall setup
The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on)
Using Ansible
On your machine install
ansibleMake sure you have SSH access to all nodes of the cluster
Create
hosts.inifile. Sample given here.Copy
ports.yamlfile and inspect for any changes w.r.t to above table.Run
Manual
You can use
ufwto set up the firewall on each cluster node.SSH into each node, and change to superuser
Run the following command for each rule in the above table
Example:
Enable ufw:
Additional Reference: RKE2 Networking Requirements
Last updated
