Question
Kuberenetes Firewalling the management API
- Posted December 31, 2018
- APIKubernetesDigitalOcean Cloud FirewallsCoreOS
Hi all,
I’m quite familiar with DO, Kubernetes and coreos ( used to deploy ETCD clusters on DO using Ansible + API).
I’m looking at using DO to host an test K8 cluster, and am looking to ‘lock down’ the management API.
Typically I would firewall port 443 to the master node (network firewall, local baremetal), but have noticed the DO firewall doesn’t seem to handle this traffic, and adding a rule to only allow from my source IP is not working. Locally I could also update the mater’s host-based firewall, I haven’t looked to much into this on DO yet, although the nodes appear to be running debian :S.
As a pot-shot, i’m guessing DO is handling the k8s management endpoints by a different (not configurable by us) means, although would be happily corrected/pointed in the right direction.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hey friend, you’re correct, we’re providing a managed Kubernetes product (our short hand for it is DOKS 👍🏼 ) so there’s no access to the management layer: https://www.digitalocean.com/docs/kubernetes/overview/ Hope this helps.
