Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize Firewall Rules for k3s Cluster: Minimum Required Ports for Secure Operation #11156

Closed
wanclem opened this issue Oct 23, 2024 · 0 comments
Closed

Optimize Firewall Rules for k3s Cluster: Minimum Required Ports for Secure Operation #11156

wanclem opened this issue Oct 23, 2024 · 0 comments

Comments

@wanclem
Copy link

wanclem commented Oct 23, 2024

I'm currently using the following permissive firewall configuration to ensure my k3s cluster functions properly. However, I'm concerned about the security risks of having all incoming and outgoing traffic allowed on all ports. Could you advise on the minimum set of ports that should be opened for a k3s cluster to operate securely and efficiently? Here's the current configuration on hetzner cloud:

resource "hcloud_firewall" "k8s_firewall" {
  name = "k8s-firewall"

  # Allow all incoming TCP traffic on all ports
  rule {
    description   = "Allow all incoming TCP traffic"
    direction     = "in"
    protocol      = "tcp"
    port          = "1-65535"
    source_ips    = ["0.0.0.0/0", "::/0"]
  }

  # Allow all incoming UDP traffic on all ports
  rule {
    description   = "Allow all incoming UDP traffic"
    direction     = "in"
    protocol      = "udp"
    port          = "1-65535"
    source_ips    = ["0.0.0.0/0", "::/0"]
  }

  # Allow all outgoing TCP traffic on all ports
  rule {
    description   = "Allow all outgoing TCP traffic"
    direction     = "out"
    protocol      = "tcp"
    port          = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  # Allow all outgoing UDP traffic on all ports
  rule {
    description   = "Allow all outgoing UDP traffic"
    direction     = "out"
    protocol      = "udp"
    port          = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

}

What would be the recommended minimal port configuration to enhance security while maintaining functionality?
@k3s-io k3s-io locked and limited conversation to collaborators Oct 23, 2024
@cwayne18 cwayne18 converted this issue into discussion #11157 Oct 23, 2024
@github-project-automation github-project-automation bot moved this from New to Done Issue in K3s Development Oct 23, 2024

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
K3s Development
Status: Done Issue
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wanclem