The reason I’d like to close 6443 and generally keep all ports close is to make master virtually unaccessible from the outer world.
Instead, I’d create “bastion” node and have kubectl with
/.kube/config installed on it. This “bastion” node would become the only one with access to master API. To access this “bastion”, I’d use VPN or ssh.
Once this is done, I’d be sure that master has no public ports open whatsoever.
We can’t really close port 6443 for public access since it’s the entrypoint for the nodes …
Worker nodes, I assumed, would be able to communicate to master via intranet IP, but I just realized there’s no ground for this assumption of mine.