A DaemonSet that attaches a Firewall to all Linodes of a Kubernetes cluster and labels the node as schedulable. Useful to be able to expose services on NodePort, such as by attaching a Firewall that allows inbound traffic to ports 30000-32767
teocns/lke-firewall-autoattach
The application can be run in a DaemonSet as seen in this example.
LINODE_ACCESS_TOKEN - Required for performing API calls
FIREWALL_ID - The Linode Firewall ID
POST_OPERATION_NODE_LABELS - If set, will patch the nodes with the provided key:value label (i.e schedulable:true)
INSTANCE_LABEL - Node's label (i.e lke91873-139045-63e5629d44d5). Also retrievable by using a fieldRef pointing to spec.nodeName
.
A ConfigMap containting kubeconfig must be mounted to
/root/.kube/.
To ensure reliability of you LKE cluster behind a firewall, ensure that you configure your rules accordingly:
TCP port 10250 inbound from 192.168.128.0/17, Kubelet health checks
UDP port 51820 inbound from 192.168.128.0/17, Wireguard tunneling for kubectl proxy
TCP 179 inbound from 192.168.128.0/17, Calico BGP traffic
TCP/UDP port30000 - 32767 inbound from All, NodePorts for workload Services