Documentation
¶
Overview ¶
Command applyfirewall reconciles the Hetzner Robot stateless firewall on the PUBLIC IP of bare-metal nodes, directly against the Robot API.
It is standalone, operational tooling for clusters whose management cluster is gone (e.g. a pivoted, self-managing workload cluster): the Robot firewall is an infrastructure object, so this needs no kubeconfig, CAPI, or management cluster — only Robot web-service credentials and each node's main (public) IP.
Control-plane and worker nodes get different rulesets (see docs/hetzner-bare-metal-network-surface.md):
- control-plane (CP_SERVER_IPS): SSH (ALLOW_SSH_FROM, else all), deny 6443 (apiserver via the NetBird operator), allow 80/443 + ALLOW_PUBLIC scoped to FAILOVER_IP (the public ingress), ICMP, return traffic.
- worker (WORKER_SERVER_IPS): SSH (ALLOW_SSH_FROM, else all), ICMP, return — nothing else public.
SAFETY: with ALLOW_SSH_FROM set, public SSH is restricted to those sources, and the apiserver (6443) is always denied on the public IP — reach it over NetBird. Defaults to DRY-RUN; set APPLY=true to push. Reversible via the Robot UI/API.
Usage:
ROBOT_USER=... ROBOT_PASSWORD=... \ CP_SERVER_IPS=1.2.3.4,1.2.3.5,1.2.3.6 \ WORKER_SERVER_IPS=1.2.3.7,1.2.3.8 \ [FAILOVER_IP=1.2.3.9] \ [ALLOW_SSH_FROM=203.0.113.4,203.0.113.0/24] \ [ALLOW_PUBLIC=5432/tcp] \ [APPLY=true] \ go run ./tools/applyfirewall
Source Files