From e7a8184de2f962f01d28ff4336a13e2c2ce4a5d2 Mon Sep 17 00:00:00 2001 From: Matthew Wildman Date: Tue, 23 Jul 2024 14:05:24 -0400 Subject: [PATCH] [Update] LKE > Get Started (#7054) * Fixed inaccurate steps, removed lke shortguide, fixed formatting * Remove trailing period from list items --- .../index.md | 48 ---------------- .../index.md | 2 +- .../compute/kubernetes/get-started/index.md | 55 +++++++++++++++---- .../index.md | 4 -- 4 files changed, 44 insertions(+), 65 deletions(-) delete mode 100644 docs/guides/kubernetes/_shortguides/lke-network-firewall-information-shortguide/index.md diff --git a/docs/guides/kubernetes/_shortguides/lke-network-firewall-information-shortguide/index.md b/docs/guides/kubernetes/_shortguides/lke-network-firewall-information-shortguide/index.md deleted file mode 100644 index d6852876635..00000000000 --- a/docs/guides/kubernetes/_shortguides/lke-network-firewall-information-shortguide/index.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -slug: lke-network-firewall-information-shortguide -title: "Network and Filewall Information for Linode Kubernetes Engine Clusters" -description: 'Language that describes the options for creating workloads on Linode Kubernetes Engine that are accessible from the Internet, and directions for creating firewall rules for your nodes.' -authors: ["Linode"] -contributors: ["Linode"] -published: 2020-04-06 -modified: 2022-11-22 -keywords: [] -license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)' -headless: true -show_on_rss_feed: false -tags: ["kubernetes"] -aliases: ['/kubernetes/lke-network-firewall-information-shortguide/'] ---- - -In an LKE cluster, some entities and services are only accessible from within that cluster while others are publicly accessible (reachable from the internet). - -**Private (accessible only within the cluster)** - -- Pod IPs, which use a per-cluster virtual network in the range 10.2.0.0/16 -- ClusterIP Services, which use a per-cluster virtual network in the range 10.128.0.0/16 - -**Public (accessible over the internet)** - -- NodePort Services, which listen on all Nodes with ports in the range 30000-32768. -- LoadBalancer Services, which automatically deploy and configure a NodeBalancer. -- Any manifest which uses `hostNetwork`: true and specifies a port. -- Most manifests which use `hostPort` and specify a port. - -Exposing workloads to the public internet through the above methods can be convenient, but this can also carry a security risk. You may wish to manually install firewall rules on your cluster nodes. The following policies are needed to allow communication between the node pools and the control plane and block unwanted traffic: - -- **Allow kubelet health checks:** TCP port 10250 from 192.168.128.0/17 Accept -- **Allow Wireguard tunneling for kubectl proxy:** UDP port 51820 from 192.168.128.0/17 Accept -- **Allow Calico BGP traffic:** TCP port 179 from 192.168.128.0/17 Accept -- **Allow NodePorts for workload services:** TCP/UDP port 30000 - 32767 192.168.128.0/17 Accept -- **Block all other TCP traffic:** TCP All Ports All IPv4/All IPv6 Drop -- **Block all other UDP traffic:** UDP All Ports All IPv4/All IPv6 Drop -- **Block all ICMP traffic:** ICMP All Ports All IPv4/All IPv6 Drop -- IPENCAP for IP ranges 192.168.128.0/17 for internal communication between node pools and control plane. - -For additional information, [please see this community post](https://www.linode.com/community/questions/19155/securing-k8s-cluster). Future LKE release may allow greater flexibility for the network endpoints of these types of workloads. - -Please note, at this time, nodes should be removed from the Cloud Firewall configuration before removing/recycling of node pools within the Kubernetes configuration. Also, when adding node pools to the Kubernetes cluster, Cloud Firewall must be updated with the new node pool(s). Failure to add the new nodes creates a security risk. - -{{< note >}} -All new LKE clusters create a service named `Kubernetes` in the `default` namespace designed to ease interactions with the control plane. This is a standard service for LKE clusters. -{{< /note >}} \ No newline at end of file diff --git a/docs/guides/kubernetes/how-to-deploy-a-static-site-on-linode-kubernetes-engine/index.md b/docs/guides/kubernetes/how-to-deploy-a-static-site-on-linode-kubernetes-engine/index.md index 2709eb65b14..7ea2c180937 100644 --- a/docs/guides/kubernetes/how-to-deploy-a-static-site-on-linode-kubernetes-engine/index.md +++ b/docs/guides/kubernetes/how-to-deploy-a-static-site-on-linode-kubernetes-engine/index.md @@ -510,7 +510,7 @@ In this section, you create a [Deployment](/docs/guides/kubernetes-reference/#de ## General Network and Firewall Information -{{% content "lke-network-firewall-information-shortguide" %}} +To learn more about networking within LKE, open ports, and configuring firewall rules, see [General Network and Firewall Information](/docs/products/compute/kubernetes/get-started/#general-network-and-firewall-information). ## Next Steps diff --git a/docs/products/compute/kubernetes/get-started/index.md b/docs/products/compute/kubernetes/get-started/index.md index c6b30fbc46c..41488fb69f5 100644 --- a/docs/products/compute/kubernetes/get-started/index.md +++ b/docs/products/compute/kubernetes/get-started/index.md @@ -47,11 +47,11 @@ Visit the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/inst ### Create an LKE Cluster -1. Log into your [Linode Cloud Manager](https://cloud.linode.com/) account. +1. Log into your [Cloud Manager](https://cloud.linode.com/) account. -1. From the Linode dashboard, click the **Create** button in the top right-hand side of the screen and select **Kubernetes** from the dropdown menu. +1. Select Kubernetes from the left navigation menu and then click **Create Cluster**. -1. The **Create a Kubernetes Cluster** page appears. At the top of the page, you are required to select the following options: +1. The **Create a Kubernetes Cluster** page appears. At the top of the page, you are required to select the following options: - In the **Cluster Label** field, provide a name for your cluster. The name must be unique between all of the clusters on your account. This name is how you identify your cluster in the Cloud Manager’s Dashboard. @@ -59,27 +59,27 @@ Visit the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/inst - From the **Version** dropdown menu, select a Kubernetes version to deploy to your cluster. -1. In the **Add Node Pools** section, select the [hardware resources](/docs/products/compute/compute-instances/plans/choosing-a-plan/#compute-resources) for the Linode worker node(s) that make up your LKE cluster. To the right of each plan, select the plus `+` and minus `-` to add or remove a Linode to a node pool one at time. +1. In the **Add Node Pools** section, select the [hardware resources](/docs/products/compute/compute-instances/plans/choosing-a-plan/#compute-resources) for the Linode worker node(s) that make up your LKE cluster. To the right of each plan, select the plus `+` and minus `-` to add or remove a Linode to a node pool one at time. -1. Once you're satisfied with the number of nodes in a node pool, select **Add** to include it in your configuration. If you decide that you need more or fewer hardware resources after you deploy your cluster, you can always [edit your Node Pool](#edit-or-remove-existing-node-pools). +1. Once you're satisfied with the number of nodes in a node pool, select **Add** to include it in your configuration. If you decide that you need more or fewer hardware resources after you deploy your cluster, you can always [edit your Node Pool](#edit-or-remove-existing-node-pools). -1. Once a pool has been added to your configuration, it is listed in the **Cluster Summary** on the right-hand side of the Cloud Manager detailing your cluster's hardware resources and monthly cost. Additional pools can be added before finalizing the cluster creation process by repeating the previous step for each additional pool. +1. Once a pool has been added to your configuration, it is listed in the **Cluster Summary** on the right-hand side of the Cloud Manager detailing your cluster's hardware resources and monthly cost. Additional pools can be added before finalizing the cluster creation process by repeating the previous step for each additional pool. -1. When you are satisfied with the configuration of your cluster, click the **Create Cluster** button on the right hand side of the screen. Your cluster's detail page appears, and your Node Pools are listed on this page. From this page, you can [edit your existing Node Pools](#edit-or-remove-existing-node-pools), [access your Kubeconfig file](#access-and-download-your-kubeconfig), and view an overview of your cluster's resource details. +1. When you are satisfied with the configuration of your cluster, click the **Create Cluster** button on the right hand side of the screen. Your cluster's detail page appears, and your Node Pools are listed on this page. From this page, you can [edit your existing Node Pools](#edit-or-remove-existing-node-pools), [access your Kubeconfig file](#access-and-download-your-kubeconfig), and view an overview of your cluster's resource details. ### Access and Download your kubeconfig -1. To access your cluster's kubeconfig, log in to your Cloud Manager account and navigate to the **Kubernetes** section. +1. To access your cluster's kubeconfig, log in to your Cloud Manager account and navigate to the **Kubernetes** section. -1. From the Kubernetes listing page, click on your cluster's **more options ellipsis** and select **Download kubeconfig**. The file is saved to your computer's `Downloads` folder. +1. From the Kubernetes listing page, click on your cluster's **more options ellipsis** and select **Download kubeconfig**. The file is saved to your computer's `Downloads` folder. -1. Open a terminal shell and save your kubeconfig file's path to the `$KUBECONFIG` environment variable. In the example command, the kubeconfig file is located in the `Downloads` folder, but you should alter this line with this folder's location on your computer: +1. Open a terminal shell and save your kubeconfig file's path to the `$KUBECONFIG` environment variable. In the example command, the kubeconfig file is located in the `Downloads` folder, but you should alter this line with this folder's location on your computer: ```command export KUBECONFIG=~/Downloads/kubeconfig.yaml ``` -1. View your cluster's nodes using kubectl. +1. View your cluster's nodes using kubectl. ```command kubectl get nodes @@ -87,7 +87,38 @@ Visit the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/inst ## General Network and Firewall Information -{{% content "lke-network-firewall-information-shortguide" %}} +In an LKE cluster, some entities and services are only accessible from within that cluster while others are publicly accessible (reachable from the internet). + +**Private (accessible only within the cluster):** + +- Pod IPs, which use a per-cluster virtual network in the range 10.2.0.0/16 +- ClusterIP Services, which use a per-cluster virtual network in the range 10.128.0.0/16 + +**Public (accessible over the internet):** + +- NodePort Services, which listen on all Nodes with ports in the range 30000-32768 +- LoadBalancer Services, which automatically deploy and configure a NodeBalancer +- Any manifest which uses `hostNetwork`: true and specifies a port +- Most manifests which use `hostPort` and specify a port + +Exposing workloads to the public internet through the above methods can be convenient, but this can also carry a security risk. You may wish to manually install firewall rules on your cluster nodes. The following policies are needed to allow communication between the node pools and the control plane and block unwanted traffic: + +- **Allow kubelet health checks:** TCP port 10250 from 192.168.128.0/17 Accept +- **Allow Wireguard tunneling for kubectl proxy:** UDP port 51820 from 192.168.128.0/17 Accept +- **Allow Calico BGP traffic:** TCP port 179 from 192.168.128.0/17 Accept +- **Allow NodePorts for workload services:** TCP/UDP port 30000 - 32767 192.168.128.0/17 Accept +- **Block all other TCP traffic:** TCP All Ports All IPv4/All IPv6 Drop +- **Block all other UDP traffic:** UDP All Ports All IPv4/All IPv6 Drop +- **Block all ICMP traffic:** ICMP All Ports All IPv4/All IPv6 Drop +- IPENCAP for IP ranges 192.168.128.0/17 for internal communication between node pools and control plane. + +For additional information, [please see this community post](https://www.linode.com/community/questions/19155/securing-k8s-cluster). Future LKE release may allow greater flexibility for the network endpoints of these types of workloads. + +Please note, at this time, nodes should be removed from the Cloud Firewall configuration before removing/recycling of node pools within the Kubernetes configuration. Also, when adding node pools to the Kubernetes cluster, Cloud Firewall must be updated with the new node pool(s). Failure to add the new nodes creates a security risk. + +{{< note >}} +All new LKE clusters create a service named `Kubernetes` in the `default` namespace designed to ease interactions with the control plane. This is a standard service for LKE clusters. +{{< /note >}} ## Next Steps diff --git a/docs/products/compute/kubernetes/guides/deploy-and-manage-cluster-with-the-linode-api/index.md b/docs/products/compute/kubernetes/guides/deploy-and-manage-cluster-with-the-linode-api/index.md index 5baabade616..747188df84e 100644 --- a/docs/products/compute/kubernetes/guides/deploy-and-manage-cluster-with-the-linode-api/index.md +++ b/docs/products/compute/kubernetes/guides/deploy-and-manage-cluster-with-the-linode-api/index.md @@ -730,10 +730,6 @@ curl -H "Authorization: Bearer $TOKEN" \ https://api.linode.com/v4/lke/clusters/12345 ``` -## General Network and Firewall Information - -{{% content "lke-network-firewall-information-shortguide" %}} - ## Where to Go From Here? Now that you have created an LKE cluster, you can start deploying workloads to it. Review these guides for further help: