Kubernetes防火墙配置

49次阅读

共计 4114 个字符,预计需要花费 11 分钟才能阅读完成。

!!!先启动 firewalld.service 再启动 docker.serivce

已经启动 docker.service 的启动 firewalld.service 后重启 docker.service

Master: 不限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=8472/udp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=6443/tcp
firewall-cmd --permanent --add-port=10200-10300/tcp
firewall-cmd --permanent --add-port=2370-2390/tcp
firewall-cmd --permanent --add-port=323/udp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=4443/tcp
firewall-cmd --permanent --add-port=25/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=9100/udp
firewall-cmd --permanent --add-port=9090/udp
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --change-interface=cni0
firewall-cmd  --reload
firewall-cmd --list-all

Master: 限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --zone=trusted --change-interface=docker0
firewall-cmd --permanent --zone=trusted --change-interface=cni0
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="25"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="6443"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="2370-2390"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="10240-10260"accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="4443"accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="443"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="53"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="8472"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="323"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="123"accept"
firewall-cmd  --reload
firewall-cmd --list-all

Nodes: 限制网段

#!/bin/sh
firewall-cmd --permanent --add-port=30000-32767/tcp
firewall-cmd --permanent --add-port=65535/tcp
firewall-cmd --permanent --add-port=68/udp
firewall-cmd --permanent --add-port=8118/tcp
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --change-interface=docker0
firewall-cmd --permanent --change-interface=cni0
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="25"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="2370-2390"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="tcp"port="10240-10260"accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="4443"accept"
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="443"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="53"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="8472"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="323"accept"
firewall-cmd --permanent --add-rich-rule="rule family="ipv4"source address="192.168.40.0/24"port protocol="udp"port="123"accept"
firewall-cmd --reload
firewall-cmd --list-all

正文完
 0