- Instead of setting iptables FORWARD default policy to ACCEPT, leave as DROP and follow this gist
- Configure explicit permit rules in /etc/iptables.conf (from above gist), e.g.
# Allow internal private k8s IPs to talk
-A FILTERS -m state --state NEW -s 10.0.0.0/8 -j ACCEPT
# Permit direct https/6443 access to k8s proxy from local subnet
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 6443 -s your-src-ip-subnet/24 -j ACCEPT
# Permit direct https/443 access to ingress from local subnet
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 443 -s your-src-ip-subnet/24 -j ACCEPT
# Reject everything else
-A FILTERS -j REJECT --reject-with icmp-host-prohibited
Now you can create a local admin.conf
file to access the remote 6443 proxy, e.g.:
apiVersion: v1
clusters:
- cluster:
server: https://your-microk8s-host:6443
insecure-skip-tls-verify: true
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
namespace: default
user: admin
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: admin
user:
username: admin
password: get this from ${SNAP}/microk8s/current/basic_auth.csv (the 1st field)