Firewall

Firewall setup for various components

To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below.

Firewall rules for Kubernetes node

Set up firewall rules on each node according to the following table.

Protocol
Port
Access
Purpose

TCP

22

Public/Internet

SSH

TCP

80

Public/Internet

HTTP

TCP

443

Public/Internet

HTTPS

TCP

5432

Intranet

Postgres

TCP

9345

Intranet

RKE

TCP

6443

Intranet

K8s API

UDP

8472

Intranet

K8s Flannel VXLAN

TCP

10250

Intranet

kubelet

TCP

2379

Intranet

etcd client

TCP

2380

Intranet

etcd peer

TCP

9796

Intranet

Prometheus

TCP

30000:32767

Intranet

K8s NodePort

Firewall rules for Load Balancer

Protocol
Port
Access
Purpose

TCP

22

Public/Internet

SSH

TCP

80

Public/Internet

HTTP

TCP

443

Public/Internet

HTTPS

TCP

5432

Intranet

Postgres

Firewall rules for Wireguard

Protocol
Port
Access
Purpose

TCP

22

Public/Internet

SSH

UDP

51820-5182n

Public/Internet

Multiple Wireguard servers

Firewall rules for NFS

Protocol
Port
Access
Purpose

TCP

22

Public/Internet

SSH

TCP

2049

Intranet

NFS server

Firewall setup

The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on)

Using Ansible

  • On your machine install ansible

  • Make sure you have SSH access to all nodes of the cluster

  • Create hosts.ini file. Sample given here.

  • Copy ports.yaml file and inspect for any changes w.r.t to above table.

  • Run

ansible-playbook -i hosts.ini ports.yaml

Manual

  • You can use ufw to set up the firewall on each cluster node.

    • SSH into each node, and change to superuser

    • Run the following command for each rule in the above table

      ufw allow from <from-ip-range-allowed> to any port <port/range> proto <tcp/udp>
    • Example:

      ufw allow from any to any port 22 proto tcp
      ufw allow from 10.3.4.0/24 to any port 9345 proto tcp
    • Enable ufw:

      ufw enable
      ufw default deny incoming
  • Additional Reference: RKE2 Networking Requirements

Last updated