Enable firewall on a running node

Follow the steps below on each running node to enable firewall.

On the NFS server

Run the following commands to enable firewall on the NFS server.

systemctl start firewalld;systemctl enable firewalld

firewall-cmd --permanent --add-port=111/udp

firewall-cmd --permanent --add-port=111/tcp

firewall-cmd --permanent --add-port=2049/tcp

firewall-cmd --permanent --add-port=20048/tcp

firewall-cmd --reload

On the running master nodes

For the single-master node deployment

Run the following commands to enable firewall on the running master node.

systemctl start firewalld; systemctl enable firewalld

firewall-cmd --permanent --add-port=4001/tcp

firewall-cmd --permanent --add-port=2380/tcp

firewall-cmd --permanent --add-port=8200/tcp

firewall-cmd --permanent --add-port=8201/tcp

firewall-cmd --permanent --add-port=8443/tcp

firewall-cmd --permanent --add-port=10250/tcp

firewall-cmd --permanent--direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i docker0 -j ACCEPT -m comment --comment 'kube-proxy redirects'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNodeIP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --reload

For the multiple-master node deployment

Run the following commands to enable firewall on each running master node.

systemctl start firewalld; systemctl enable firewalld

firewall-cmd --permanent --add-port=4001/tcp

firewall-cmd --permanent --add-port=2380/tcp

firewall-cmd --permanent --add-port=8200/tcp

firewall-cmd --permanent --add-port=8201/tcp

firewall-cmd --permanent --add-port=8443/tcp

firewall-cmd --permanent --add-port=10250/tcp

firewall-cmd --permanent--direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i docker0 -j ACCEPT -m comment --comment 'kube-proxy redirects'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode1IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode2IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode3IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --reload

On the running worker nodes

For the single-master node deployment

Run the following commands to enable firewall on each running worker node.

systemctl start firewalld; systemctl enable firewalld

firewall-cmd --permanent --add-port=10250/tcp

firewall-cmd --permanent--direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i docker0 -j ACCEPT -m comment --comment 'kube-proxy redirects'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNodeIP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --reload

For the multiple-master node deployment

Run the following commands to enable firewall on each running worker node.

systemctl start firewalld; systemctl enable firewalld

firewall-cmd --permanent --add-port=10250/tcp

firewall-cmd --permanent--direct --add-rule ipv4 filter FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i docker0 -j ACCEPT -m comment --comment 'kube-proxy redirects'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode1IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode2IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<MasterNode3IP>/32" port protocol="tcp" port="10255" accept'

firewall-cmd --reload