Question

Load balancer in front of Kubernetes configuration question

Hello,

I am completely at a loss here when I have been trying to get my load balancer firewall configured to have a public load balancer with kubernetes nodes that are not accessible outside of the VPC. I need to shut down access to all kubernetes node ports outside of DigitalOcean and only allow a single public load balancer to access a single nodeport on the kubernetes nodes, which then get routed with an Nginx ingress controller.

I have found that DigitalOcean can create and manage firewall rules but it configures things where the node ports are open to the world behind the load balancer. This won’t work for me because I put SSO and SSL termination from Cloudflare in front of the load balancer. So I have one Cloudflare proxied DNS record for root and wildcard pointing at that load balancer. Since all authentication is happening in front of the load balancer I absolutely can not have the node ports behind the load balancer exposed to the world. So from what I have found DigitalOcean’s firewall configuration management for Kubernetes won’t work.

So I tried creating the load balancer outside of kubernetes and configuring its DNS through Terraform to link to the nodeport for the Nginx service and tried creating a new firewall rule (also in Terraform) to only allow traffic from the load balancer. This does not work either, as the load balancer can not reach the nodeport anymore.

In fact when I create a firewall test (new rule) that allows all ports outside of the kubernetes configured firewall, it still doesn’t work, even if I allow full access to all ports from all ipv4 traffic. This makes no sense to me, so I am completely missing something here.

So what am I missing here? Why is it almost impossible to configure a simple firewall rule to lock down nodeports on the kubernetes nodes, except for traffic from a single load balancer?

Thanks for your help!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
March 26, 2023

Hi there,

Indeed, the DigitalOcean firewalls can not be applied to managed Load Balancers as mentioned here:

https://docs.digitalocean.com/products/networking/load-balancers/details/limits/

In this case, I could suggest following the steps from this documentation here:

https://docs.digitalocean.com/tutorials/internal-lb/

In that tutorial, you learn how to use a NodePort service and ExternalDNS to make services on a DOKS cluster accessible for applications on Droplets, which will also work for existing Load Balancers within that VPC.

Hope that this helps.

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.