You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Operating System (Servers + Load Balancer): Ubuntu 24.04 LTS
Cluster Configuration:
2 servers in HA (no agent)
1 external load balancer running HAProxy on Level 4 (TCP)
HAProxy forwards traffic on TCP ports 80 and 443 to the corresponding ports on the servers in a round-robin way
Each server runs K3s Traefik with lb-klipper for HTTP and HTTPS load balancing.
2 dummy "hello world" pods deployed, one on each node.
Certificates are managed by Let's Encrypt.
Note: Servers are directly exposed to the internet without the option of using a private network or firewall rules
Describe the question:
How to restrict access to the nodes to only the External Load Balancer's IP?
Actual behavior:
Currently, ports 80, 443, NodePorts, and ETCD ports (2379, 2380) are open to the internet, and I wish to limit inbound traffic on the servers to just the load balancer's IP.
Expected behavior:
Only port 22 (SSH) and 6443 (API) are publicly opened.
Tests:
I've attempted:
NetworkPolicies: These only seem to apply to pods.
iptables PREROUTING chain: Found this difficult to manage and not compatible with K3S
UFW: Not effective as UFW uses its own chain system.
Thanks for your help
The text was updated successfully, but these errors were encountered:
Environmental Info:
Cluster Configuration:
Note: Servers are directly exposed to the internet without the option of using a private network or firewall rules
Describe the question:
How to restrict access to the nodes to only the External Load Balancer's IP?
Actual behavior:
Currently, ports 80, 443, NodePorts, and ETCD ports (2379, 2380) are open to the internet, and I wish to limit inbound traffic on the servers to just the load balancer's IP.
Expected behavior:
Only port 22 (SSH) and 6443 (API) are publicly opened.
Tests:
I've attempted:
Thanks for your help
The text was updated successfully, but these errors were encountered: