which K3S ports should (not) be exposed on a public interface

tcurdt

9/21/23, 4:02 PM

The K3S documentation explains which ports are required for this kubernetes distribution to work.

What it does NOT explain is, which of these ports are OK to be open on a public interface.

K3S seem to deal with the following ports

Master
6443/tcp nodes
8472/udp flannel
10250/tcp kublet (metrics)
10251/tcp controller-manager
10255/tcp kublet (readonly)

Worker
10250/tcp kublet (metrics)
10255/tcp kublet (readonly)
30000-32767/tcp nodeports

Given the cluster nodes share their own subnet. It seems to make sense to bind the ports to the subnet interface (instead of the public interface). Unfortunately this is not exactly painless with K3S.

So before jumping through hoops:

Which of the ports above should be hidden from the public interface?

Which of the ports above are secured and maybe even required to available via public interface (e.g. access to the cluster via kubectl)?

0 + 0

networking

kubernetes

k3s

kubectl

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: which K3S ports should (not) be exposed on a public interface

TH: พอร์ต K3S ใดที่ควร (ไม่) เปิดเผยบนอินเทอร์เฟซสาธารณะ

RO: care porturi K3S ar trebui (nu) să fie expuse pe o interfață publică

RU: какие порты K3S должны (не) отображаться на общедоступном интерфейсе

VI: cổng K3S nào nên (không) được hiển thị trên giao diện công cộng

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.