- Instead of setting iptables FORWARD default policy to ACCEPT, leave as DROP and follow this gist
- Configure explicit permit rules in /etc/iptables.conf (from above gist), e.g.
# Allow internal private k8s IPs to talk
-A FILTERS -m state --state NEW -s 10.0.0.0/8 -j ACCEPT
# Permit direct https/6443 access to k8s proxy from local subnet
-A FILTERS -m state --state NEW -m tcp -p tcp --dport 6443 -s your-src-ip-subnet/24 -j ACCEPT