# Firewall To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below. ## Firewall rules for Kubernetes node Set up firewall rules on each node according to the following table.
ProtocolPortAccessPurpose
TCP22Public/InternetSSH
TCP80Public/InternetHTTP
TCP443Public/InternetHTTPS
TCP5432IntranetPostgres
TCP9345IntranetRKE
TCP6443IntranetK8s API
UDP8472IntranetK8s Flannel VXLAN
TCP10250Intranetkubelet
TCP2379Intranetetcd client
TCP2380Intranetetcd peer
TCP9796IntranetPrometheus
TCP30000:32767IntranetK8s NodePort
## Firewall rules for Load Balancer
ProtocolPortAccessPurpose
TCP22Public/InternetSSH
TCP80Public/InternetHTTP
TCP443Public/InternetHTTPS
TCP5432IntranetPostgres
## Firewall rules for Wireguard
ProtocolPortAccessPurpose
TCP22Public/InternetSSH
UDP51820-5182nPublic/InternetMultiple Wireguard servers
## Firewall rules for NFS
ProtocolPortAccessPurpose
TCP22Public/InternetSSH
TCP2049IntranetNFS server
### Firewall setup The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on) #### Using Ansible * On your machine install `ansible` * Make sure you have SSH access to all nodes of the cluster * Create `hosts.ini` file. Sample given [here](https://github.com/OpenG2P/openg2p-deployment/tree/main/ansible). * Copy [`ports.yaml`](https://github.com/OpenG2P/openg2p-deployment/blob/main/ansible/ports.yaml) file and inspect for any changes w\.r.t to above table. * Run ```shell-session ansible-playbook -i hosts.ini ports.yaml ``` #### Manual * You can use `ufw` to set up the firewall on each cluster node. * SSH into each node, and change to superuser * Run the following command for each rule in the above table ``` ufw allow from to any port proto ``` * Example: ``` ufw allow from any to any port 22 proto tcp ufw allow from 10.3.4.0/24 to any port 9345 proto tcp ``` * Enable ufw: ``` ufw enable ufw default deny incoming ``` * Additional Reference: [RKE2 Networking Requirements](https://docs.rke2.io/install/requirements#networking) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/operations/deployment/scaling/base-infrastructure/openg2p-cluster/cluster-setup/firewall.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.