How to Secure LKE Nodes and Linodes
Forgive me, I am pretty new to Kubernetes.
I have a system setup, but as its all dev and proof of concept for me its not all too secure yet, which is my next step.
I have a Storage Linode, which has my db and redis cache, and a kubernetes cluster which I intent to run the apps.
I am supprised how ever that the Kubernetes node each come with a public IP Address. Are these required? should I remove them since the nodebalancer acts as the entry point?
I also want to connect the storage Linode and LKE Nodes over a VLAN. but there are no options on this when adding or modifying the pool. Do these settings have to be done manually for each linode?
2 Replies
If you haven't checked it out yet, we have some info on network security for Kubernetes clusters in our intro guide here: Deploy and Manage a Cluster with Linode Kubernetes Engine - A Tutorial: General Network and Firewall Information
You aren't able to remove or disable a node's public IP; however, the guide I linked above has a bit more detail about what is/isn't publicly accessible:
In an LKE cluster, both of the following types of workload endpoints cannot be reached from the Internet:
Pod IPs, which use a per-cluster virtual network in the range 10.2.0.0/16
ClusterIP Services, which use a per-cluster virtual network in the range 10.128.0.0/16
All of the following types of workloads can be reached from the Internet:
NodePort Services, which listen on all Nodes with ports in the range 30000-32768.
LoadBalancer Services, which automatically deploy and configure a NodeBalancer.
Any manifest which uses hostNetwork: true and specifies a port.
Most manifests which use hostPort and specify a port.
It goes on to link to another one of our Community posts about Kubernetes security practices: Securing k8s cluster
Regarding your VLANs question: VLANs aren't supported natively by LKE just yet, so there's not an option to configure them right off the bat. As you suspected, you would need to enable them manually from the configuration profile of each individual node.
I'm not sure what your use case is with your storage Linode, but we also have a guide about adding persistent volumes (using Block Storage Volumes) to LKE clusters for storage purposes: Deploy Persistent Volume Claims with the Linode Block Storage CSI Driver
Hi Jdutton thanks for you response.
I will definately have a read of the the provided resources.
The storage linode is a host for mysql database and redis cache, which will only need to be accessed by the services running on the LKE cluster, and as such pretty keen on not having these services accessible to public if they don't need to be.
But im guessing getting my head around linux firewalls is the answer to this.