Limit Hetzner firewall port exposure

[roy-hardin]

Wouldn’t security be improved if the hetzner-k3s create command of hetzner-k3s version 2.0.8 did not (re-)open the Hetzner Cloud Firewall to allow any incoming traffic from any IPv4 or IPv6 address on ports 5001, 30000 through 32767, and for ICMP (ping)?

According to the OWASP Kubernetes Security Cheat Sheet:

Since Kubernetes clusters usually listen on a range of well-defined and distinctive ports, it is easier for attackers to identify the clusters and attack them. An overview of the default ports used in Kubernetes is provided below. Make sure that your network blocks access to ports, and you should seriously consider limiting access to the Kubernetes API server to trusted networks.

Control plane nodes

Protocol	Port Range	Purpose
TCP	6443-	Kubernetes API Server
TCP	2379-2380	etcd server client API
TCP	10250	Kubelet API
TCP	10251	kube-scheduler
TCP	10252	kube-controller-manager
TCP	10255	Read-Only Kubelet API

Worker Nodes

Protocol	Port Range	Purpose
TCP	10250	Kubelet API
TCP	10255	Read-Only Kubelet API
TCP	30000-32767	NodePort Services

Given these guidelines, would it be possible to restrict the firewall configuration to enhance security while preserving necessary functionality?

[vitobotta]

Port 5001 is required for the embedded registry mirror to work. Unfortunately during my testing I found that it doesn't work out of the box with peers communicating through the private network if available. Connections between peers are authenticated, but I will see if I can test Spegel (the embedded registry mirror) again to see if something has been fixed and whether it works now with the private network.

Ports 30000-32767 are required for NodePort services, so they only pose a risk if you explicitly decide to expose a service to the Internet on a NodePort. Otherwise those ports are not in use so they don't pose any risk IMO. I have in on my list to make it possible to enable/disable the NodePort range with a config option, though.

As for ICMP, it's probably a matter of opinions but I think that preventing pings does little in terms of security since most bots and scanners etc will knock on various ports to look for holes and vulnerabilities. They are unlikely going to stop just because an IP address doesn't respond to ping. Again, it's something I can make configurable anyway.

[roy-hardin]

Thanks for your detailed response. I understand the port requirements for 5001 and 30000-32767 and appreciate your explanation about the configuration. It’s reassuring that peer connections are authenticated, and NodePort services only pose a risk if exposed. Configuring the NodePort range and ICMP settings in the future would be great for those who want more control over the firewall setup.