k8s限制外部管理访问

#允许控制节点

iptables -A INPUT -s master-node -p tcp --dport 6443 -j ACCEPT

#允许数据节点
iptables -A INPUT -s data-node -p tcp --dport 6443 -j ACCEPT

#允许k8s内部服务网段
iptables -A INPUT -s 10.40.0.0/16 -p tcp --dport 6443 -j ACCEPT

#允许k8s内部POD网段
iptables -A INPUT -s 172.20.0.0/16 -p tcp --dport 6443 -j ACCEPT

#允许k8s内部DNS网段
iptables -A INPUT -s 169.254.0.0/16 -p tcp --dport 6443 -j ACCEPT

#允许本机IP
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 6443 -j ACCEPT
iptables -A INPUT -p tcp --dport 6443 -j DROP

#同样方式处理2379(etcd-client)、2380(etcd-server)、10250、10257、10259端口

#延迟保存,确保集群没问题后持久化

iptables-save > /etc/iptables/rules.v4

Control plane

 

Protocol

DirectionPort RangePurposeUsed By
TCP Inbound 6443 Kubernetes API server All
TCP Inbound 2379-2380 etcd server client API kube-apiserver, etcd
TCP Inbound 10250 Kubelet API Self, Control plane
TCP Inbound 10259 kube-scheduler Self
TCP Inbound 10257 kube-controller-manager Self

Worker node(s)

ProtocolDirectionPort RangePurposeUsed By
TCP Inbound 10250 Kubelet API Self, Control plane
TCP Inbound 10256 kube-proxy Self, Load balancers
TCP Inbound 30000-32767 NodePort Services† All
 posted on 2024-08-21 20:42  小SEI子  阅读(17)  评论(0编辑  收藏  举报