By yechan
Hi there.
Weeks ago, I already asked a question for how to customize DO managed Kubernetes firewall on forum.
I know how to ADD new firewall rules now, but I don’t know how to customize EXISTING RULES which already added by default DO Kubernetes.
For example, DO defaultly marked that Kubernetes NodePort range (30000 ~ 32767) as a public access, which allows every IPs without any restrictions.
But I want to ONLY ALLOW my own IP to reach NodePort in this case.
Already tried to make an additional firewall with IP restriction on NodePort range, and bound it with my DOKS cluster, But didn’t work properly.
Any helpful tips for this?
Thanks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
With 1.19 this is finally possible! NodePort range is now closed by default. NodePort Services will open the automatic firewall. This can be disabled via annotation, for example:
apiVersion: v1
kind: Service
metadata:
name: traefik
namespace: default
annotations:
kubernetes.digitalocean.com/firewall-managed: "false"
spec:
type: NodePort
ports:
- protocol: TCP
name: web
port: 8000
nodePort: 30000
selector:
app: traefik
Now using an additional custom firewall applied to the cluster, NodePort service connectivity can be properly limited.
Hi there,
Unfortunately, it is not currently possible to add further restrictions to this nodeport range. Because our cloud firewalls are whitelist based, a DENY cannot override an ALLOW. We are currently exploring ways to make the DOKS generated objects more flexible to accommodate a wider range of customer use cases.
Modifying the generated cloud firewall is also not recommended and although it will work temporarily, it will be overwritten by the cluster reconciler to the default settings.
The cloud resources(volumes/Load Balancers/Firewall) created by DOKS are not intended to be manually modified/renamed. This is because the DOKS reconciler looks to find cloud resources with the name they were created with in order to manage and validate its settings. If there are manual modifications made to a cloud resource’s settings, the reconciler will overwrite them.
A workaround to what your trying to do would be to expose an ingress-controller service to front your other services. Then you may use the whitelist annotation functionality, for example, provided by the nginx ingress controller. See the documentation here:
Regards,
John Kwiatkoski Senior Developer Support Engineer
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.