Is LKE secure from the network perspective?
SO if I create an LKE cluster, I can attach a firewall to each instance automatically using a daemonset with the following preconfigured rules:
TCP port 10250 inbound from 192.168.128.0/17, Kubelet health checks
UDP port 51820 inbound from 192.168.128.0/17, Wireguard tunneling for kubectl proxy
TCP 179 inbound from 192.168.128.0/17, Calico BGP traffic
TCP/UDP port 30000 - 32767 inbound from All, NodePorts for workload Services
(https://www.linode.com/community/questions/19155/securing-k8s-cluster)
This will pretect my cluster from external traffic.
Now as far as I understand, the 192 network is a datacenter network and so the opened ports will still be reached by other linode customers.
Is that the case? because if so LKE is not 100% secure from the network point of view.
PS: I can't use VPC because we have to have our services running in London/UK and that product is not still available there.
4 Replies
No answer from linode staff?
tlambert
Linode Staff
Yes, because you will need to keep certain ports open to traffic from the 192.168.128.0/17 subnet, it does expose the cluster to entire IP range within the data center's private network.
To address your follow-up:
"No answer from linode staff?"
If your question is urgent, the easiest (and fastest) way to get in touch with the Support Team is to reach out to them directly either through a Support Ticket or by phone:
U.S. 855-454-6633
Global +1-609-380-7100
OK… what's the solution then? How can I deploy my k8s cluster in London and make sure it is secure from the network point of view against external traffic and internal neighbours
No answer from linode staff?