You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request designed to solve a problem? If so describe the problem this feature should solve.:
The Hetzner cloud provider attaches a single, cluster-wide firewall to every server it creates, configured via the HCLOUD_FIREWALL environment variable. There is currently no way to attach extra firewall rules to just one nodepool, any rule added to HCLOUD_FIREWALL applies to every node in the cluster.
This is a problem when a single nodepool needs a different firewall posture from the rest of the cluster. For example, a dedicated ingress/edge pool may need a public port range open, while the control-plane and general worker pools should keep a tight firewall. With only a global firewall, opening those ports relaxes the firewall on every node.
Describe the solution you'd like.:
Add an optional firewalls field to NodeConfig (nodeConfigs in HCLOUD_CLUSTER_CONFIG) listing additional firewall ids or names to attach to that nodepool's servers, in addition to the cluster-wide HCLOUD_FIREWALL. The cluster firewall and the per-nodepool firewalls would be merged (deduplicated by id) at server creation, mirroring how the existing per-pool placementGroup field is resolved and applied. HCLOUD_FIREWALL would be unchanged and remain cluster-wide; the new field would be optional and additive.
Describe any alternative solutions you've considered.:
Put every rule in the global HCLOUD_FIREWALL: relaxes the firewall on the whole cluster, which is what we want to avoid.
A label-selector firewall + serverLabels (feat(hetzner): add serverLabels field to nodeConfig for Hetzner server labels #9430): stamp labels on the pool's nodes via serverLabels, give the firewall an apply_to label selector, and Hetzner auto-attaches it. It's a reasonable workaround, but indirect (two loosely-coupled pieces), and the attachment is evaluated after the server is created rather than applied at creation time. A first-class firewalls field is explicit, attaches synchronously at creation, and keeps all firewalls on a single firewall_ids management path.
Which component are you using?:
/area cluster-autoscaler
cluster-autoscaler — Hetzner Cloud provider (
cloudprovider/hetzner).Is your feature request designed to solve a problem? If so describe the problem this feature should solve.:
The Hetzner cloud provider attaches a single, cluster-wide firewall to every server it creates, configured via the
HCLOUD_FIREWALLenvironment variable. There is currently no way to attach extra firewall rules to just one nodepool, any rule added toHCLOUD_FIREWALLapplies to every node in the cluster.This is a problem when a single nodepool needs a different firewall posture from the rest of the cluster. For example, a dedicated ingress/edge pool may need a public port range open, while the control-plane and general worker pools should keep a tight firewall. With only a global firewall, opening those ports relaxes the firewall on every node.
Describe the solution you'd like.:
Add an optional
firewallsfield toNodeConfig(nodeConfigsinHCLOUD_CLUSTER_CONFIG) listing additional firewall ids or names to attach to that nodepool's servers, in addition to the cluster-wideHCLOUD_FIREWALL. The cluster firewall and the per-nodepool firewalls would be merged (deduplicated by id) at server creation, mirroring how the existing per-poolplacementGroupfield is resolved and applied.HCLOUD_FIREWALLwould be unchanged and remain cluster-wide; the new field would be optional and additive.Describe any alternative solutions you've considered.:
HCLOUD_FIREWALL: relaxes the firewall on the whole cluster, which is what we want to avoid.serverLabels(feat(hetzner): add serverLabels field to nodeConfig for Hetzner server labels #9430): stamp labels on the pool's nodes viaserverLabels, give the firewall anapply_tolabel selector, and Hetzner auto-attaches it. It's a reasonable workaround, but indirect (two loosely-coupled pieces), and the attachment is evaluated after the server is created rather than applied at creation time. A first-classfirewallsfield is explicit, attaches synchronously at creation, and keeps all firewalls on a singlefirewall_idsmanagement path.Additional context.: