Created
September 28, 2021 16:03
-
-
Save jhoelzel/f27b7a05640e4cf7d535d24c844cc71e to your computer and use it in GitHub Desktop.
Kuberenetes node cloudconfig basics for public nodes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #cloud-config | |
| packages: | |
| - ufw | |
| - fail2ban | |
| package_update: true | |
| package_upgrade: true | |
| runcmd: | |
| - sed -i 's/[#]*PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config | |
| - sed -i 's/[#]*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
| - systemctl restart sshd | |
| - ufw allow proto tcp from any to any port 22 | |
| - ufw allow from 173.212.218.6 | |
| - ufw allow from 10.43.0.0/16 | |
| - ufw allow from 10.42.0.0/16 | |
| - ufw allow from 10.0.0.0/16 | |
| - ufw allow from 10.244.0.0/16 | |
| - ufw -f default deny incoming | |
| - ufw -f default allow outgoing | |
| - ufw -f enable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please Note that " - ufw allow proto tcp from any to any port 22 " is only for testing setups.
In a production cluster you would provision a jump host using wireguard to keep all information transfered across the wire private.
If you already have a private connetion setup replace "from any to any" with your ip/ip-range.
Static IP adresses served by your probvider might not be sufficient here as they can be spoofed and in general whitelisting your entire org is not a good idea. Remember that eveny our guest-wifi might have the same egress IP.
If you are interested, I do provide advanced networking services using wireguard and OpernWRT for both, machine level, as well as access point level.