DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service. Deploy Kubernetes clusters with a fully managed control plane, high availability, autoscaling, and native integration with DigitalOcean Load Balancers and volumes. DOKS clusters are compatible with standard Kubernetes toolchains and the DigitalOcean API and CLI.
Control plane firewalls are in Early Availability for select DOKS customers. The feature improves security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.
Existing open connections continue to work until they terminate. However, for WATCH
requests, the API server enforces a maximum of 30 minutes for terminating the open connection.
To add a control plane firewall when creating a cluster with doctl kubernetes cluster create
, set the --enable-control-plane-firewall
flag to true
and specify the IP addresses in the --control-plane-firewall-allowed-addresses
flag.
The following example creates a cluster named example-cluster
in the nyc1
region with a node pool using Kubernetes version 1.30.1-do.0
with a firewall added to the control plane.
doctl kubernetes cluster create example-cluster --region nyc1 --version 1.30.1-do.0` --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"
To add a control plane firewall to an existing cluster, use the doctl kubernetes cluster update
command. Set the --enable-control-plane-firewall
flag set to true
and specify the IP addresses in the --control-plane-firewall-allowed-addresses
flag. For example:
doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"
You may experience a brief disruption to the API server as your cluster reconfigures to use the firewall.
To remove an existing control plane firewall, use the doctl kubernetes cluster update
command with the --enable-control-plane-firewall
flag set to false
. For example:
doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false
Add a control plane firewall to a cluster using the DigitalOcean API with cURL or Go.
To add a control plane firewall when creating a cluster, send a POST
request to https://api.digitalocean.com/v2/kubernetes/clusters
with the following request body:
curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
"name": "fw-create-test-1",
"region": "syd1",
"version": "1.30.1-do.0",
"node_pools": [
{
"size": "s-1vcpu-2gb",
"count": 3,
"name": "worker-pool"
}
],
"control_plane_firewall": {
"enabled": true,
"allowed_addresses": [
"1.2.3.4/32",
"4.3.2.1"
]
}
}'
To add a control plane firewall to an existing cluster, send a PUT
request to https://api.digitalocean.com/v2/kubernetes/clusters
with the following request body:
curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/{cluster_id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
"control_plane_firewall": {
"enabled": true,
"allowed_addresses": [
"1.2.3.4"
]
}
}'
Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code:
package main
import (
"context"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := true
_, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{
Name: "control-plane-firewall-godo",
RegionSlug: "nyc1",
VersionSlug: "1.30.1-do.0",
NodePools: []*godo.KubernetesNodePoolCreateRequest{
{
Name: "worker-pool",
Count: 3,
Size: "s-1vcpu-2gb",
},
},
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
"4.3.2.1",
},
},
})
}
To add a control plane firewall to an existing cluster with Godo, use the following code:
package main
import (
"context"
"fmt"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := true
_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
},
},
})
}
To remove a control plane firewall, set the enabled
flag to false
. For example, use the following code with Godo:
package main
import (
"context"
"fmt"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := false
_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
},
},
})
}