| description |
|---|
Firewall setup for various components |
To set up the Kubernetes cluster, you need to open a few ports on all nodes as mentioned below.
Set up firewall rules on each node according to the following table.
| Protocol | Port | Access | Purpose |
|---|---|---|---|
| TCP | 22 | Public/Internet | SSH |
| TCP | 80 | Public/Internet | HTTP |
| TCP | 443 | Public/Internet | HTTPS |
| TCP | 5432 | Intranet | Postgres |
| TCP | 9345 | Intranet | RKE |
| TCP | 6443 | Intranet | K8s API |
| UDP | 8472 | Intranet | K8s Flannel VXLAN |
| TCP | 10250 | Intranet | kubelet |
| TCP | 2379 | Intranet | etcd client |
| TCP | 2380 | Intranet | etcd peer |
| TCP | 9796 | Intranet | Prometheus |
| TCP | 30000:32767 | Intranet | K8s NodePort |
| Protocol | Port | Access | Purpose |
|---|---|---|---|
| TCP | 22 | Public/Internet | SSH |
| TCP | 80 | Public/Internet | HTTP |
| TCP | 443 | Public/Internet | HTTPS |
| TCP | 5432 | Intranet | Postgres |
| Protocol | Port | Access | Purpose |
|---|---|---|---|
| TCP | 22 | Public/Internet | SSH |
| UDP | 51820-5182n | Public/Internet | Multiple Wireguard servers |
| Protocol | Port | Access | Purpose |
|---|---|---|---|
| TCP | 22 | Public/Internet | SSH |
| TCP | 2049 | Intranet | NFS server |
The exact method to set up the firewall rules will vary from cloud to cloud and on-prem. (For example on AWS, EC2 security groups can be used. For on-prem cluster, ufw can be used and so on)
- On your machine install
ansible - Make sure you have SSH access to all nodes of the cluster
- Create
hosts.inifile. Sample given here. - Copy
ports.yamlfile and inspect for any changes w.r.t to above table. - Run
ansible-playbook -i hosts.ini ports.yaml
- You can use
ufwto set up the firewall on each cluster node.-
SSH into each node, and change to superuser
-
Run the following command for each rule in the above table
ufw allow from <from-ip-range-allowed> to any port <port/range> proto <tcp/udp> -
Example:
ufw allow from any to any port 22 proto tcp ufw allow from 10.3.4.0/24 to any port 9345 proto tcp -
Enable ufw:
ufw enable ufw default deny incoming
-
- Additional Reference: RKE2 Networking Requirements