Rules for access to ROKS and IKS Service Endpoint URLs
ROKS and IKS use a single nodeport service in their clusters to connect to worker nodes. Because they are a managed service, ROKS and IKS do not provide direct access to their control plane. Instead, connection must go through the Service endpoint URL, found in the IBM portal within Clusters > Cluster Overview > Networking.
The Service endpoint URL includes a Fully Qualified Domain (FQDN) and a port that falls within the 30000 to 33000 range.
As an example, the Service endpoint URL could look like:
https://1example.us-south.containers.cloud.ibm.com:31081
To avoid creating a rule that opens the entire port range, you can create a rule with the node label and a destination that includes a list of either FQDNs or IPs that resolve to those FQDNs. The source and destination ports would match the one at the end of the Service endpoint URL.
Example rule:
Node → iks_endpoint_list 31081 UDP 31081 UDP