Skip to content

Restrict K8s API firewall to VPC + Tailscale only#37

Merged
cmyui merged 1 commit intomasterfrom
restrict-k8s-api-firewall
Jan 13, 2026
Merged

Restrict K8s API firewall to VPC + Tailscale only#37
cmyui merged 1 commit intomasterfrom
restrict-k8s-api-firewall

Conversation

@cmyui
Copy link
Member

@cmyui cmyui commented Jan 13, 2026

Summary

  • Restricts port 6443 (K8s API) from 0.0.0.0/0 to VPC + Tailscale only
  • VPC (10.118.0.0/20): kubelets, kube-proxy, GitHub runner
  • Tailscale (100.64.0.0/10): admin kubectl access

Prerequisites completed

  • Kubelets on worker01/worker02 updated to use VPC IP (10.118.0.2)
  • kube-proxy ConfigMap updated to use VPC IP
  • GitHub Actions self-hosted runner deployed in VPC
  • All CI workflows updated to use [self-hosted, vpc] runner
  • K8s API certificate includes VPC and Tailscale SANs

Test plan

  • Merge and let Terraform apply
  • Verify cluster remains healthy (kubectl get nodes)
  • Verify CI can still deploy (trigger a workflow)
  • Verify admin kubectl access via Tailscale still works

🤖 Generated with Claude Code

@cmyui @claude
Restrict K8s API firewall to VPC + Tailscale only
aa7f97e 
Now that GitHub Actions uses self-hosted runners in VPC,
we no longer need the K8s API open to the internet.

- VPC (10.118.0.0/20): Allows kubelets, kube-proxy, and GitHub runner
- Tailscale (100.64.0.0/10): Allows admin kubectl access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cmyui cmyui requested a review from infernalfire72 as a code owner January 13, 2026 08:34
@github-actions
Copy link

github-actions bot commented Jan 13, 2026

Terraform Plan Output

Click to expand 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # digitalocean_firewall.k8s-master-firewall[0] will be updated in-place
  ~ resource "digitalocean_firewall" "k8s-master-firewall" {
        id              = "1ca8cd6e-bd3c-479d-bf01-c96ca47b863c"
        name            = "k8s-master-firewall"
        tags            = []
        # (4 unchanged attributes hidden)

      - inbound_rule {
          - port_range                = "6443" -> null
          - protocol                  = "tcp" -> null
          - source_addresses          = [
              - "0.0.0.0/0",
              - "1.1.1.1",
              - "::/0",
            ] -> null
          - source_droplet_ids        = [] -> null
          - source_kubernetes_ids     = [] -> null
          - source_load_balancer_uids = [] -> null
          - source_tags               = [] -> null
        }
      + inbound_rule {
          + port_range                = "6443"
          + protocol                  = "tcp"
          + source_addresses          = [
              + "10.118.0.0/20",
              + "100.64.0.0/10",
            ]
          + source_droplet_ids        = []
          + source_kubernetes_ids     = []
          + source_load_balancer_uids = []
          + source_tags               = []
        }

        # (9 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

@cmyui cmyui merged commit de73d82 into master Jan 13, 2026
2 checks passed
@cmyui cmyui deleted the restrict-k8s-api-firewall branch January 13, 2026 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infernalfire72 infernalfire72 Awaiting requested review from infernalfire72 infernalfire72 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cmyui