Prevent accessing k8s master from

#1

After setting up a k8s cluster using Kapsule I have a few questions:

  1. which ports except for 6443 are open publicly?
  2. how can I prevent all ports in k8s master IP to be exposed publicly?
  3. if it’s not possible to do it myself, can I ask technical support to close all ports on my master?
#2

Hello gmile!

  1. For now only port 6443, but it may change in the future.
  2. You can’t
  3. You can’t as well

Quick explanation though:
We can’t really close port 6443 for public access since it’s the entrypoint for the nodes and for your kubectl client.
Do you have any usecases for wanting to close this port for public access?

#3

Hi Patrik!

The reason I’d like to close 6443 and generally keep all ports close is to make master virtually unaccessible from the outer world.

Instead, I’d create “bastion” node and have kubectl with /.kube/config installed on it. This “bastion” node would become the only one with access to master API. To access this “bastion”, I’d use VPN or ssh.

Once this is done, I’d be sure that master has no public ports open whatsoever.

We can’t really close port 6443 for public access since it’s the entrypoint for the nodes …

Worker nodes, I assumed, would be able to communicate to master via intranet IP, but I just realized there’s no ground for this assumption of mine.

#4

Okay I see! Sadly it’s not really possible today (not simple enough I mean). It may be possible in the future (with VPCs) and I’ll keep your idea for later :wink:

(And sorry for the late answer :sweat_smile:)

#5

@PatrikCyvoct thanks! Note on this may be available through VPC some time in future. Put my name on the waiting list for VPC :wink:

#6

@PatrikCyvoct can I limit which IPs can call k8s API?

For example, I’d like to have a NAT rule that says “k8s API can be reached only from IP 1.2.3.4”, where 1.2.3.4 would be a scaleway instance.

I don’t think it’s possible to do from the UI, perhaps it can be done by asking support team?

#7

@gmile no, also not possible :frowning:

#8

Got it.

Is it possible to extract log of requests to the k8s API?

#9

@gmile not yet, we may offer this functionality in the future but I can’t really give you a timeline :stuck_out_tongue: