linode-cloud-controller-manager

Firewall Setup

Overview

The CCM provides two methods for securing NodeBalancers with firewalls:

CCM-managed Cloud Firewalls (using firewall-acl annotation)
User-managed Cloud Firewalls (using firewall-id annotation)

CCM-Managed Firewalls

Configuration

Use the firewall-acl annotation to specify firewall rules. The rules should be provided as a JSON object with either an allowList or denyList (but not both).

Allow List Configuration

apiVersion: v1
kind: Service
metadata:
  name: restricted-service
  annotations:
    service.beta.kubernetes.io/linode-loadbalancer-firewall-acl: |
      {
        "allowList": {
          "ipv4": ["192.168.0.0/16", "10.0.0.0/8"],
          "ipv6": ["2001:db8::/32"]
        }
      }

Deny List Configuration

metadata:
  annotations:
    service.beta.kubernetes.io/linode-loadbalancer-firewall-acl: |
      {
        "denyList": {
          "ipv4": ["203.0.113.0/24"],
          "ipv6": ["2001:db8:1234::/48"]
        }
      }

Behavior

Only one type of list (allow or deny) can be used per service
Rules are automatically created and managed by the CCM
Rules are updated when the annotation changes
Firewall is deleted when the service is deleted (unless preserved)

User-Managed Firewalls

Configuration

Create a Cloud Firewall in Linode Cloud Manager
Attach it to the service using the firewall-id annotation:

metadata:
  annotations:
    service.beta.kubernetes.io/linode-loadbalancer-firewall-id: "12345"

Management

User maintains full control over firewall rules
Firewall persists after service deletion
Manual updates required for rule changes

Best Practices

Rule Management
- Use descriptive rule labels
- Document rule changes
- Regular security audits
IP Range Planning
- Plan CIDR ranges carefully
- Document allowed/denied ranges
- Consider future expansion

For more information:

This site is open source. Improve this page.