乐趣区

Kubernetes防火墙配置

作者:

jiezi

!!!先启动firewalld.service再启动docker.serivce

已经启动docker.service的启动firewalld.service后重启docker.service

Master:不限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=8472/udp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=10200-10300/tcp
firewall-cmd --permanent --add-port=2370-2390/tcp
firewall-cmd --permanent --add-port=323/udp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=4443/tcp
firewall-cmd --permanent --add-port=25/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=9100/udp
firewall-cmd --permanent --add-port=9090/udp
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --change-interface=cni0
firewall-cmd  --reload
firewall-cmd --list-all

Master:限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --change-interface=cni0
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="25" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="6443" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="2370-2390" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="10240-10260" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="4443" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="443" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="53" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="8472" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="323" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="123" accept"
firewall-cmd  --reload
firewall-cmd --list-all

Nodes:限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --change-interface=docker0
firewall-cmd --permanent --change-interface=cni0
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="25" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="2370-2390" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="10240-10260" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="4443" accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="443" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="53" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="8472" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="323" accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="123" accept"
firewall-cmd --reload
firewall-cmd --list-all

评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

这个站点使用 Akismet 来减少垃圾评论。了解你的评论数据如何被处理

更多文章