Running RKE2 with a bridge as the primary interface for multis. I see the docs want firewalld disabled but I don't want non cluster members to have access to the etcd port, etc. Any solutions here?

etcd is protected by tls mutual authentication, what’s the threat model?

Compliance teams. In theory ddos and zero days as well

unfortunately part of what comes with multus is no network policy support. you’re basically running pods with host network.

Trust me I hear you and not planning on it but defense in depth is important. Just looking to see if anyone has a solution