How to restrict access to the nodes to only the External Load Balancer's IP?

[fabienvauchelles]

Environmental Info:

• K3s Version: v1.30.2+k3s1
• Operating System (Servers + Load Balancer): Ubuntu 24.04 LTS

Cluster Configuration:

• 2 servers in HA (no agent)
• 1 external load balancer running HAProxy on Level 4 (TCP)
• HAProxy forwards traffic on TCP ports 80 and 443 to the corresponding ports on the servers in a round-robin way
• Each server runs K3s Traefik with lb-klipper for HTTP and HTTPS load balancing.
• 2 dummy "hello world" pods deployed, one on each node.
• Certificates are managed by Let's Encrypt.

Note: Servers are directly exposed to the internet without the option of using a private network or firewall rules

Describe the question:

How to restrict access to the nodes to only the External Load Balancer's IP?

Actual behavior:

Currently, ports 80, 443, NodePorts, and ETCD ports (2379, 2380) are open to the internet, and I wish to limit inbound traffic on the servers to just the load balancer's IP.

Expected behavior:

Only port 22 (SSH) and 6443 (API) are publicly opened.

Tests:

I've attempted:

• NetworkPolicies: These only seem to apply to pods.
• iptables PREROUTING chain: Found this difficult to manage and not compatible with K3S
• UFW: Not effective as UFW uses its own chain system.

Thanks for your help