AWS Security Group Configuration for Kubernetes

Kshitija Bartakke-MalwadeKshitija Bartakke-Malwade
2 min read

1. Security Group for Master Nodes

Name: K8s-Master-SG

Ibound Rules*:*

These rules allow the master nodes to communicate with the worker nodes and external services securely.

ProtocolPort RangeSourceDescription
TCP6443K8s-Worker-SGKubernetes API server communication
TCP2379-2380K8s-Master-SGEtcd server communication
TCP10250K8s-Worker-SGKubelet communication
TCP10251K8s-Master-SGKube-scheduler communication
TCP10252K8s-Master-SGController-manager communication
TCP22Admin IPSSH access for administration
ICMPAllK8s-Worker-SGPing requests

Outbound Rules:

Allow all outbound traffic (0.0.0.0/0) unless specific restrictions apply.

2. Security Group for Worker Nodes

Name: K8s-Worker-SG

Inbound Rules:

These rules enable the worker nodes to communicate with the master nodes and handle external traffic.

ProtocolPort RangeSourceDescription
TCP10250K8s-Master-SGKubelet communication from master
TCP30000-327670.0.0.0/0NodePort services
TCP22Admin IPSSH access for administration
ICMPAllK8s-Master-SG, K8s-Worker-SGPing requests

Outbound Rules:

Allow all outbound traffic (0.0.0.0/0) unless specific restrictions apply.

Explanation of Key Ports

  1. 6443: Kubernetes API server port, used by worker nodes to communicate with the master.

  2. 2379-2380: Ports for etcd, the key-value store used by Kubernetes.

  3. 10250: Port for Kubelet API, used for control plane to node communication.

  4. 10251: Kube-scheduler listens on this port for leader election.

  5. 10252: Controller-manager listens on this port for leader election.

  6. 30000-32767: Kubernetes services exposed via NodePort use these ports.

Best Practices

  1. Restrict SSH Access
    Only allow SSH access from trusted IP addresses to improve security.

  2. Minimize External Access
    Limit external access to only necessary ports (e.g., for NodePort services or LoadBalancer).

  3. VPC and Subnet
    Ensure that both master and worker nodes are in the same VPC and use private subnets for internal communication.

    Thanks for spending your valuable time in learning to enhance your knowledge!πŸ˜ƒπŸ™

    Share this with your colleagues and friends! ➀🀝

    π—™π—Όπ—Ήπ—Ήπ—Όπ˜„ π—Ίπ—²πŸ”—β•°β”ˆβž€

    Hashnode: kshitijaa.hashnode.dev

    LinkedIn: kshitija-bartakke-malwade

0
Subscribe to my newsletter

Read articles from Kshitija Bartakke-Malwade directly inside your inbox. Subscribe to the newsletter, and don't miss out.

k8smasterk8sworkerDevopsDevops articlesDevOps Journey#DevopscommunityAWSSecurityinbound outboundrulesk8sKubernetes

Written by

Kshitija Bartakke-Malwade
Kshitija Bartakke-Malwade

DevOps is all about collaboration and learning from each other! Let's connect on Hashnode and exchange ideas, tips, and success stories! 🀝 🌐 https://hashnode.com/@Kshitijaa πŸ“§ kshitijabartakke17@gmail.com πŸ“Έ www.linkedin.com/in/kshitija-bartakke-malwade-39678b141 Join me on this thrilling DevOps journey as we embrace innovation, automation, and a brighter future for software development! πŸŽ‰ Let's build a seamless digital world together! πŸŒπŸ’» #DevOps #Automation #ContinuousInnovation #CI/CD #InfrastructureAsCode