Question

How to customize firewall rules for managed kubernetes service?

Hi. I recently started to use DigitlaOcean managed Kubernetes. and Just realized that when I try to modify my node pools (adding or deleting existing one), It also refreshes my firewall setup together.

I need to customize this firewall rule for my services. and Rollback of firewall rules can be DISASTER in my case.

Is there any way to define custom ports on firewall and lock it to avoid unexpected rollback?

I’m pretty sure that this can be a common issue for every users who planning to use DO managed Kubernetes.

I’ll wait for your reply. Thanks.

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi Ethan.

Thanks for the reply. Creating separated firewall rules with k8s tag worked fine for adding custom port access.

But looks like it is still impossible to override existing firewall rule which already defined on auto generated one.

For example, I want to only allow access to NodePort (port 30000 ~ 32767) from specific IPs. Not just opening to public. But seems defining these custom rules on separated firewall doesn’t really override existing one.

Can you also help me to solve this issue?

Thanks again.

Hey there,

The firewall created automatically by your DOKS cluster has a controller watching its state, helping to ensure the rules needed for the cluster to function stay in-place. Any time reconciliation of the cluster occurs (from adding/recycling nodes, etc.) the state is checked and if any changes are made the firewall is replaced entirely.

Right now, this means no changes to that firewall are recommended. To add additional firewall rules to your DOKS cluster you’ll need to create a separate Cloud Firewall and point it toward your DOKS Cluster’s tag. You can modify this Firewall that isn’t watched by a controller as much as you want, reconciliation will have no effect on it. Creating this via doctl would look something like:

doctl compute firewall create --inbound-rules="protocol:tcp,address:0.0.0.0/0,ports:22" --tag-names=k8s:CLUSTER_UUID --name=<your_name>

Our DOKS Engineering team is working on a more robust firewall implementation to remove these middle-steps, this is something we’re actively investigating and don’t have an exact ETA on release. Be sure to continue watching for updates to DOKS as this is bound to come in future releases.

If you have any other questions or need anything else, just write back in and let us know.

Regards, Ethan - Developer Support Engineer II @ DigitalOcean

Relevant reading:

https://www.digitalocean.com/docs/kubernetes/resources/managed/#worker-node-firewalls

It explains how to create a new cloud firewall, attach it to your DOKS cluster and how to alter the default “allow all ipv4+ipv6 traffic”-rule that is automatically created when defining a nodeport.