-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
46 lines (43 loc) · 2.42 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
---
# firewall rules for cluster services
fw_cluster_svc:
common:
- { port: 80, comment: 'Allow http' }
- { port: 443, comment: 'Allow https' }
- { port: 53, comment: 'Allow DNS' }
- { port: 53, proto: udp, comment: 'Allow DNS' }
- { port: 9100, comment: 'Allow Node Exporter (K8s)', from: "{{ safe_network }}" }
- { port: 80, comment: 'Allow http outbound', route: true, from: "{{ kube_network }}" }
- { port: 443, comment: 'Allow https outbound', route: true }
- { port: 53, comment: 'Allow DNS outbound', route: true, from: "{{ kube_network }}", proto: udp }
- { port: 161, comment: 'Allow SNMP outbound', route: true, from: "{{ kube_network }}", proto: udp }
master:
- { port: 2379, comment: 'Allow etcd-client' }
- { port: 2380, comment: 'Allow etcd-server' }
- { port: 6443, comment: 'Allow Kubernetes API server' }
- { port: 7946, comment: 'Allow MetalLB' }
- { port: 7946, comment: 'Allow MetalLB', proto: udp }
- { port: 9153, comment: 'Allow CoreDNS metrics' }
- { port: 9253, comment: 'Allow NodeLocal DNS metrics' }
- { port: 10250, comment: 'Allow Kubelet API' }
- { port: 10257, comment: 'Allow kube-controller manager' }
- { port: 10259, comment: 'Allow kube-scheduler' }
worker:
- { port: 7946, comment: 'Allow MetalLB' }
- { port: 7946, comment: 'Allow MetalLB', proto: udp }
- { port: 9253, comment: 'Allow NodeLocal DNS metrics' }
- { port: 10250, comment: 'Allow Kubelet API' }
- { port: 10256, comment: 'Allow kube-proxy' }
- { port: 25565, comment: 'Allow Minecraft game', from: 0.0.0.0/0 }
- { port: "30000:32767", comment: 'Allow NodePort Services' }
- { port: 9443, comment: 'Allow MinIO console' }
# UniFi Network
- { port: 3478, comment: 'Allow UniFi STUN', proto: udp }
- { port: 5514, comment: 'Allow UniFi remote syslog', proto: udp }
- { port: 8080, comment: 'Allow UniFi communication'}
- { port: 6789, comment: 'Allow UniFi speed test' }
- { port: 10001, comment: 'Allow UniFi device discovery', proto: udp }
- { port: 1900, comment: 'Allow UniFi discoverable on L2', proto: udp }
- { port: 3478, comment: 'Allow UniFi STUN outbound', route: true, from: "{{ kube_network }}", proto: udp }
- { port: 123, comment: 'Allow UniFi NTP outbound', route: true, from: "{{ kube_network }}", proto: udp }
- { port: 22, comment: 'Allow UniFi device access', route: true, from: "{{ kube_network }}" }