How to Add a Control Plane Firewall Early Availability

DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service. Deploy Kubernetes clusters with a fully managed control plane, high availability, autoscaling, and native integration with DigitalOcean Load Balancers and volumes. DOKS clusters are compatible with standard Kubernetes toolchains and the DigitalOcean API and CLI.


Control plane firewalls are in Early Availability for select DOKS customers. The feature improves security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.

Existing open connections continue to work until they terminate. However, for WATCH requests, the API server enforces a maximum of 30 minutes for terminating the open connection.

Add a Control Plane Firewall Using the DigitalOcean CLI

To add a control plane firewall when creating a cluster with doctl kubernetes cluster create, set the --enable-control-plane-firewall flag to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag.

The following example creates a cluster named example-cluster in the nyc1 region with a node pool using Kubernetes version 1.30.1-do.0 with a firewall added to the control plane.

doctl kubernetes cluster create example-cluster --region nyc1 --version 1.30.1-do.0` --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"

To add a control plane firewall to an existing cluster, use the doctl kubernetes cluster update command. Set the --enable-control-plane-firewall flag set to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag. For example:

doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"

You may experience a brief disruption to the API server as your cluster reconfigures to use the firewall.

Remove a Control Plane Firewall Using the DigitalOcean CLI

To remove an existing control plane firewall, use the doctl kubernetes cluster update command with the --enable-control-plane-firewall flag set to false. For example:

doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false

Add a Control Plane Firewall Using the DigitalOcean API

Add a control plane firewall to a cluster using the DigitalOcean API with cURL or Go.

To add a control plane firewall when creating a cluster, send a POST request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:

curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "name": "fw-create-test-1",
    "region": "syd1",
    "version": "1.30.1-do.0",
    "node_pools": [
        {
            "size": "s-1vcpu-2gb",
            "count": 3,
            "name": "worker-pool"
        }
    ],
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4/32",
            "4.3.2.1"
        ]
    }
}'

To add a control plane firewall to an existing cluster, send a PUT request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:

curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/{cluster_id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4"
        ]
    }
}'

Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code:

    
        
            
package main

import (
	"context"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := true
	_, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{
		Name:        "control-plane-firewall-godo",
		RegionSlug:  "nyc1",
		VersionSlug: "1.30.1-do.0",
		NodePools: []*godo.KubernetesNodePoolCreateRequest{
			{
				Name:  "worker-pool",
				Count: 3,
				Size:  "s-1vcpu-2gb",
			},
		},
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
				"4.3.2.1",
			},
		},
	})
}

        
    

To add a control plane firewall to an existing cluster with Godo, use the following code:

    
        
            
package main

import (
	"context"
	"fmt"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := true
	_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
			},
		},
	})
}

        
    

Remove a Control Plane Firewall Using the DigitalOcean API

To remove a control plane firewall, set the enabled flag to false. For example, use the following code with Godo:

    
        
            
package main

import (
	"context"
	"fmt"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := false
	_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
			},
		},
	})
}