Skip to content

Commit de73d82

Browse files
cmyuiclaude
andauthored
Restrict K8s API firewall to VPC + Tailscale only (#37)
Now that GitHub Actions uses self-hosted runners in VPC, we no longer need the K8s API open to the internet. - VPC (10.118.0.0/20): Allows kubelets, kube-proxy, and GitHub runner - Tailscale (100.64.0.0/10): Allows admin kubectl access Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 8e6bc57 commit de73d82

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

tf/digitalocean.tf

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -134,13 +134,13 @@ resource "digitalocean_firewall" "k8s-master-firewall" {
134134
source_addresses = [var.tailscale_ipv4_range]
135135
}
136136

137-
# Kubernetes API - open for now (GitHub Actions has 4000+ dynamic IPs)
138-
# TODO: Consider self-hosted runners in VPC to restrict this
139-
# Security: K8s API requires valid client certs, so exposure is low risk
137+
# Kubernetes API - VPC + Tailscale only
138+
# GitHub Actions uses self-hosted runners in VPC
139+
# Admin access via Tailscale
140140
inbound_rule {
141141
protocol = "tcp"
142142
port_range = "6443"
143-
source_addresses = ["0.0.0.0/0", "::/0"]
143+
source_addresses = [digitalocean_vpc.akatsuki-production-vpc.ip_range, var.tailscale_ipv4_range]
144144
}
145145

146146
# etcd - VPC only (cluster-internal)

0 commit comments

Comments
 (0)