Running RKE2 with a bridge as the primary interfac...
# generals
silly-balloon-22613
08/28/2025, 12:53 AMRunning RKE2 with a bridge as the primary interface for multis. I see the docs want firewalld disabled but I don't want non cluster members to have access to the etcd port, etc. Any solutions here?
c
creamy-pencil-82913
08/28/2025, 12:55 AMetcd is protected by tls mutual authentication, what’s the threat model?
s
silly-balloon-22613
08/28/2025, 12:56 AMCompliance teams. In theory ddos and zero days as well
c
creamy-pencil-82913
08/28/2025, 12:57 AMunfortunately part of what comes with multus is no network policy support. you’re basically running pods with host network.
creamy-pencil-82913
08/28/2025, 12:57 AMdon’t expose your control-plane directly to hostile networks
s
silly-balloon-22613
08/28/2025, 12:59 AMTrust me I hear you and not planning on it but defense in depth is important. Just looking to see if anyone has a solution
silly-balloon-22613
08/28/2025, 6:46 PMFor anyone that finds this I think just throwing all the nodes in an Ipset then adding that ipset to the trusted zone and whatever ports you want to expose to the public zone should work
6 Views