Kuberenetes Firewalling the management API

December 31, 2018 542 views
API Kubernetes DigitalOcean Cloud Firewalls

Hi all,

I’m quite familiar with DO, Kubernetes and coreos ( used to deploy ETCD clusters on DO using Ansible + API).

I’m looking at using DO to host an test K8 cluster, and am looking to ‘lock down’ the management API.

Typically I would firewall port 443 to the master node (network firewall, local baremetal), but have noticed the DO firewall doesn’t seem to handle this traffic, and adding a rule to only allow from my source IP is not working. Locally I could also update the mater’s host-based firewall, I haven’t looked to much into this on DO yet, although the nodes appear to be running debian :S.

As a pot-shot, i’m guessing DO is handling the k8s management endpoints by a different (not configurable by us) means, although would be happily corrected/pointed in the right direction.

1 Answer
wadenick MOD January 2, 2019
Accepted Answer

Hey friend, you’re correct, we’re providing a managed Kubernetes product (our short hand for it is DOKS 👍🏼 ) so there’s no access to the management layer: https://www.digitalocean.com/docs/kubernetes/overview/ Hope this helps.

Have another answer? Share your knowledge.