I'm looking to set up a self-hosted multi-node K3s cluster on a VPS that provides private networking, and each server has its own public IPv4 address. I'll be using Longhorn for storage and Traefik for ingress, but I want to keep it simple without adding Cilium or other complex options. The plan is to host web applications and expose a TCP port for Zabbix (10051) via an IngressRoute.
My main concern is which ports I can expose safely and which should remain on the private network. For handling the management network, I assume there will be a different VPS with a VPN. I've read about the need for port 6443, but I'm uncertain about other ports and their necessity. I know that ports 80 and 443 are generally safe, but I'm not clear about the rest of the ports Kubernetes uses.
5 Answers
I only expose ports 80 and 443 and manage everything through Traefik. It keeps things simple and secure.
To minimize your attack surface, it's best to expose as few ports as possible. For any needed access, you can SSH into your server and forward the necessary ports instead of exposing them directly.
It seems like you might not have a grasp on the fundamentals of security. Ports are just arbitrary numbers; their safety relies on how well you control access.
Keep in mind, safety is relative; there's no such thing as 'safe' on the internet. Make sure to use a load balancer or a firewall to protect your public-facing services, and avoid exposing the Kubernetes API server to the outside world.
I suggest exposing ports 80 and 443 (with appropriate redirects) and if you're concerned about security, you can place port 6443 behind a bastion host.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads