Use node's private IP as advertisement address if hcloudNetwork.enabled == true

[MalteJ]

Would it make sense to deploy the kube-apiserver with the node's own private IP address as advertisement address, when the hcloud private networking is enabled?

This would allow us to create a nice firewalling of the nodes, which only allows communication via the private IPs and by that block all traffic from the internet (see #1615).

Control Plane access (e.g. from kubectl) would come in via the Hetzner LBs and appear as private traffic for the firewall.
Other loadbalancers created via hccm would need the load-balancer.hetzner.cloud/use-private-ip: "true" annotation.

[MalteJ]

Also kubelet-preferred-address-types should start with InternalIP in case of hcloudNetwork.enabled == true.
Otherwise traffic from the kube-apiserver to the worker nodes (e.g. when doing kubectl logs) will use the public network.

[batistein]

@MalteJ i can only recommend to not use any private network on hetzner see: #1472 (comment)

[MalteJ]

Then we need to have a dynamic firewalling, where ports are only accessible by nodes of the same cluster. Otherwise this would be a no go from a security perspective for me.
Saying that, we should think about endorsing IPv6 with a flat routing concept, where pods make use of the /64 prefix assigned to a node.

[batistein]

That's absolutely right, and it's one of the reasons why we incorporated it into our offering. I can only recommend to have a look into Cilium Host Firewall