What firewall rules do I need for cert-manager on LKE?

Hey, I been following the doc:

https://www.linode.com/docs/guides/how-to-configure-load-balancing-with-tls-encryption-on-a-kubernetes-cluster/#create-a-clusterissuer-resource

This works fine with no firewall rules, I can secure with TLS fine.

If I have the firewall rules (detailed below, all outbound is allowed, all inbound is denied unless there is a rule) the cert-manager check api fails (not the case if I disable the firewall). Am I missing a rule here?

inbound {
label = "allow-http"
action = "ACCEPT"
protocol = "TCP"
ports = "80"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["ff00::/8"]
}

inbound {
label = "allow-https"
action = "ACCEPT"
protocol = "TCP"
ports = "443"
ipv4 = ["0.0.0.0/0"]
ipv6 = ["ff00::/8"]
}

inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "6443"
ipv4 = ["192.168.128.0/17"]
}

inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "9402"
ipv4 = ["192.168.128.0/17"]
}

Using this port for cert-manager - I specify this via helm.

inbound {
label = "allow-cert-manager"
action = "ACCEPT"
protocol = "TCP"
ports = "10260"
ipv4 = ["192.168.128.0/17"]
}

# https://www.linode.com/community/questions/19155/securing-k8s-cluster

inbound {
label = "kubelet-health-checks"
action = "ACCEPT"
protocol = "TCP"
ports = "10250"
ipv4 = ["192.168.128.0/17"]

}

inbound {
label = "kubelet-proxy"
action = "ACCEPT"
protocol = "UDP"
ports = "51820"
ipv4 = ["192.168.128.0/17"]

}

inbound {
label = "calico-bgp"
action = "ACCEPT"
protocol = "TCP"
ports = "179"
ipv4 = ["192.168.128.0/17"]

}

inbound {
label = "kubernetes-node-ports"
action = "ACCEPT"
protocol = "TCP"
ports = "30000-32767"
ipv4 = ["0.0.0.0/0"]

}

inbound {
label = "kubernetes-node-ports"
action = "ACCEPT"
protocol = "UDP"
ports = "30000-32767"
ipv4 = ["0.0.0.0/0"]

}

1 Reply

When dealing with firewalls and LKE you can ensure the ports utilized by the components of the LKE control plane are not being impeded:

https://kubernetes.io/docs/reference/ports-and-protocols/

Based on the output you shared it looks like some rules need to be added to allow a few of the ports listed in the link above.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct