Hi there,

Unfortunately, it is not currently possible to add further restrictions to this nodeport range. Because our cloud firewalls are whitelist based, a DENY cannot override an ALLOW. We are currently exploring ways to make the DOKS generated objects more flexible to accommodate a wider range of customer use cases.

Modifying the generated cloud firewall is also not recommended and although it will work temporarily, it will be overwritten by the cluster reconciler to the default settings.

The cloud resources(volumes/Load Balancers/Firewall) created by DOKS are not intended to be manually modified/renamed. This is because the DOKS reconciler looks to find cloud resources with the name they were created with in order to manage and validate its settings. If there are manual modifications made to a cloud resource’s settings, the reconciler will overwrite them.

A workaround to what your trying to do would be to expose an ingress-controller service to front your other services. Then you may use the whitelist annotation functionality, for example, provided by the nginx ingress controller. See the documentation here:

https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#whitelist-source-range

Regards,

John Kwiatkoski
Senior Developer Support Engineer