How to customize firewall rules for managed kubernetes service?

May 29, 2019 797 views
DigitalOcean Kubernetes Firewall

Hi. I recently started to use DigitlaOcean managed Kubernetes. and Just realized that when I try to modify my node pools (adding or deleting existing one), It also refreshes my firewall setup together.

I need to customize this firewall rule for my services. and Rollback of firewall rules can be DISASTER in my case.

Is there any way to define custom ports on firewall and lock it to avoid unexpected rollback?

I’m pretty sure that this can be a common issue for every users who planning to use DO managed Kubernetes.

I’ll wait for your reply. Thanks.

2 Answers

Hey there,

The firewall created automatically by your DOKS cluster has a controller watching its state, helping to ensure the rules needed for the cluster to function stay in-place. Any time reconciliation of the cluster occurs (from adding/recycling nodes, etc.) the state is checked and if any changes are made the firewall is replaced entirely.

Right now, this means no changes to that firewall are recommended. To add additional firewall rules to your DOKS cluster you’ll need to create a separate Cloud Firewall and point it toward your DOKS Cluster’s tag. You can modify this Firewall that isn’t watched by a controller as much as you want, reconciliation will have no effect on it. Creating this via doctl would look something like:

doctl compute firewall create --inbound-rules="protocol:tcp,address:0.0.0.0/0,ports:22" --tag-names=k8s:CLUSTER_UUID --name=<your_name>

Our DOKS Engineering team is working on a more robust firewall implementation to remove these middle-steps, this is something we’re actively investigating and don’t have an exact ETA on release. Be sure to continue watching for updates to DOKS as this is bound to come in future releases.

If you have any other questions or need anything else, just write back in and let us know.

Regards,
Ethan - Developer Support Engineer II @ DigitalOcean

  • If that is the case, it should be documented very prominently!

    I thought i’m crazy and had to debug it which wasted my time :(, after all there is nothing preventing me modifying the default created firewall for k8s.

Hi Ethan.

Thanks for the reply. Creating separated firewall rules with k8s tag worked fine for adding custom port access.

But looks like it is still impossible to override existing firewall rule which already defined on auto generated one.

For example, I want to only allow access to NodePort (port 30000 ~ 32767) from specific IPs. Not just opening to public. But seems defining these custom rules on separated firewall doesn’t really override existing one.

Can you also help me to solve this issue?

Thanks again.

Have another answer? Share your knowledge.