k8s-开启防火墙时配置

发表于 | 分类于

详细配置

docker 网段 172.20.0.0/24
网卡 eth0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Removing DOCKER-USER CHAIN (it won't exist at first)
firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER

# Flush rules from DOCKER-USER chain (again, these won't exist at first; firewalld seems to remember these even if the chain is gone)
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER

# Add the DOCKER-USER chain to firewalld
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -j ACCEPT -m comment --comment "allows incoming from docker"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -i docker0 -o eth0 -j ACCEPT -m comment --comment "allows docker to eth0"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "allows docker containers to connect to the outside world"
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 0 -j RETURN -s 172.20.0.0/16 -m comment --comment "allow internal docker communication"

firewall-cmd --reload



# nginx
firewall-cmd --zone=public --add-port=80/tcp --permanent

#   高可用

firewall-cmd --zone=public --add-port=8443/tcp --permanent

#etcd

firewall-cmd --zone=public --add-port=2379/tcp --permanent

firewall-cmd --zone=public --add-port=2380/tcp --permanent

#calico

firewall-cmd --zone=public --add-port=9099/tcp --permanent
firewall-cmd --zone=public --add-port=179/tcp --permanent

#kubelet

firewall-cmd --zone=public --add-port=10248/tcp --permanent

firewall-cmd --zone=public --add-port=10250/tcp --permanent

firewall-cmd --zone=public --add-port=10255/tcp --permanent

firewall-cmd --zone=public --add-port=46547/tcp --permanent

#kube-proxy

firewall-cmd --zone=public --add-port=10249/tcp --permanent

firewall-cmd --zone=public --add-port=30000-33000/tcp --permanent

#harbor

firewall-cmd --zone=public --add-port=1514/tcp --permanent

firewall-cmd --zone=public --add-port=5555/tcp --permanent

firewall-cmd --zone=public --add-port=4443/tcp --permanent

firewall-cmd --zone=public --add-port=444/tcp --permanent

firewall-cmd --zone=public --add-port=444/tcp --permanent

firewall-cmd --zone=public --add-port=10080/tcp --permanent

#kube-schelude

firewall-cmd --zone=public --add-port=10251/tcp --permanent

#kube-apiserver

firewall-cmd --zone=public --add-port=6443/tcp --permanent

firewall-cmd --zone=public --add-port=8080/tcp --permanent

# kube-controlle

firewall-cmd --zone=public --add-port=10252/tcp --permanent

#ceph

firewall-cmd --zone=public --add-port=6800-6809/tcp --permanent

firewall-cmd --zone=public --add-port=3300/tcp --permanent

firewall-cmd --zone=public --add-port=6789/tcp --permanent

firewall-cmd --zone=public --add-port=8443/tcp --permanent

firewall-cmd --zone=public --add-port=9283/tcp --permanent

#prometheus

firewall-cmd --zone=public --add-port=9100/tcp --permanent

firewall-cmd --zone=public --add-port=30900/tcp --permanent

firewall-cmd --zone=public --add-port=30901/tcp --permanent

firewall-cmd --zone=public --add-port=30902/tcp --permanent

firewall-cmd --zone=public --add-port=30903/tcp --permanent

#chrony

firewall-cmd --zone=public --add-port=123/udp --permanent

#开启端口转发

firewall-cmd --add-masquerade --permanent

#规则永久生效

firewall-cmd --reload