Kubernetes防火墙配置

！！！先启动firewalld.service再启动docker.serivce

已经启动docker.service的启动firewalld.service后重启docker.service

Master:不限制网段

#!/bin/shfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=65535/tcpfirewall-cmd --permanent --add-port=8472/udpfirewall-cmd --permanent --add-port=68/udpfirewall-cmd --permanent --add-port=8118/tcpfirewall-cmd --permanent --add-port=6443/tcpfirewall-cmd --permanent --add-port=10200-10300/tcpfirewall-cmd --permanent --add-port=2370-2390/tcpfirewall-cmd --permanent --add-port=323/udpfirewall-cmd --permanent --add-port=443/tcpfirewall-cmd --permanent --add-port=4443/tcpfirewall-cmd --permanent --add-port=25/tcpfirewall-cmd --permanent --add-port=53/udpfirewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --add-port=9100/udpfirewall-cmd --permanent --add-port=9090/udpfirewall-cmd --permanent --zone=trusted --change-interface=docker0firewall-cmd --permanent --zone=trusted --change-interface=cni0firewall-cmd  --reloadfirewall-cmd --list-all

Master:限制网段

#!/bin/shfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=65535/tcpfirewall-cmd --permanent --add-port=68/udpfirewall-cmd --permanent --add-port=8118/tcpfirewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --zone=trusted --change-interface=docker0firewall-cmd --permanent --zone=trusted --change-interface=cni0firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="25" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="6443" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="2370-2390" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="10240-10260" accept"firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="4443" accept"firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="443" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="53" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="8472" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="323" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="123" accept"firewall-cmd  --reloadfirewall-cmd --list-all

Nodes:限制网段

#!/bin/shfirewall-cmd --permanent --add-port=30000-32767/tcpfirewall-cmd --permanent --add-port=65535/tcpfirewall-cmd --permanent --add-port=68/udpfirewall-cmd --permanent --add-port=8118/tcpfirewall-cmd --permanent --add-port=80/tcpfirewall-cmd --permanent --change-interface=docker0firewall-cmd --permanent --change-interface=cni0firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="25" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="2370-2390" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="tcp" port="10240-10260" accept"firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="4443" accept"firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="443" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="53" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="8472" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="323" accept"firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.40.0/24" port protocol="udp" port="123" accept"firewall-cmd --reloadfirewall-cmd --list-all