How to Add a Control Plane Firewall

Validated on 31 Mar 2026 • Last edited on 31 Mar 2026

DigitalOcean Kubernetes (DOKS) is a Kubernetes service with a fully managed control plane, high availability, and autoscaling. DOKS integrates with standard Kubernetes toolchains and DigitalOcean’s load balancers, volumes, CPU and GPU Droplets, API, and CLI.

Copy page as Markdown View page as Markdown

Control plane firewalls restrict which IP addresses can access your cluster’s API server. Allowed addresses must be public IPv4 addresses in CIDR notation, with up to 500 per cluster. Private IP ranges (RFC 1918) are not supported.

Once enabled, only the following sources can reach the control plane:

  • IP addresses you specify in the allowed addresses list.
  • Cluster worker nodes and workloads. Worker node IPs are automatically managed and kept in sync as nodes are added or removed from the cluster.
  • Internal DigitalOcean systems that manage the cluster, such as cluster upgrades.
Note

The first time you enable the control plane firewall, you may experience the following temporary effects:

  • Requests to the control plane may be disrupted.
  • Access rules may not be fully enforced immediately.
  • Existing open connections continue to work until they terminate. This includes WATCH requests that are forcefully terminated by the API server after a maximum period of 30 minutes.
  • Newly added worker nodes may take a few moments to become ready while their IP addresses are synced to the firewall rules.

Add a Control Plane Firewall

You can add a control plane firewall when creating a new cluster or to an existing cluster. Updating the allowed addresses replaces the existing list.

To add a control plane firewall when creating a cluster, set the --enable-control-plane-firewall flag to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag.

The following example creates a cluster with a control plane firewall enabled:

doctl kubernetes cluster create example-cluster \
  --region nyc1 \
  --version 1.33.1-do.0 \
  --enable-control-plane-firewall=true \
  --control-plane-firewall-allowed-addresses="1.2.3.4/32, 2.3.0.0/16"

To add a control plane firewall to an existing cluster, use the doctl kubernetes cluster update command. Set the --enable-control-plane-firewall flag to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag. For example:

doctl kubernetes cluster update example-cluster \
  --enable-control-plane-firewall=true \
  --control-plane-firewall-allowed-addresses="1.2.3.4/32, 2.3.0.0/16"

To add a control plane firewall when creating a cluster, send a POST request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:

curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "name": "example-cluster",
    "region": "nyc1",
    "version": "1.33.1-do.0",
    "node_pools": [
        {
            "size": "s-1vcpu-2gb",
            "count": 3,
            "name": "worker-pool"
        }
    ],
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4/32",
            "2.3.0.0/16"
        ]
    }
}'

To add a control plane firewall to an existing cluster, send a PUT request to https://api.digitalocean.com/v2/kubernetes/clusters/<cluster_id> with the following request body:

curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/use_your_cluster_id' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4/32"
        ]
    }
}'

Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code:

package main

import (
	"context"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("use_your_digitalocean_token")

	enabled := true
	_, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{
		Name:        "example-cluster",
		RegionSlug:  "nyc1",
		VersionSlug: "1.33.1-do.0",
		NodePools: []*godo.KubernetesNodePoolCreateRequest{
			{
				Name:  "worker-pool",
				Count: 3,
				Size:  "s-1vcpu-2gb",
			},
		},
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
				"2.3.0.0/16",
			},
		},
	})
}

To add a control plane firewall to an existing cluster with Godo, use the following code:

package main

import (
	"context"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("use_your_digitalocean_token")

	enabled := true
	_, _, _ = client.Kubernetes.Update(context.Background(), "use_your_cluster_id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
			},
		},
	})
}

To add a control plane firewall when creating a cluster with the DigitalOcean Terraform provider, include the control_plane_firewall block in your digitalocean_kubernetes_cluster resource:

resource "digitalocean_kubernetes_cluster" "example" {
  name    = "example-cluster"
  region  = "nyc1"
  version = "1.33.1-do.0"

  node_pool {
    name       = "worker-pool"
    size       = "s-1vcpu-2gb"
    node_count = 3
  }

  control_plane_firewall {
    enabled           = true
    allowed_addresses = ["1.2.3.4/32", "2.3.0.0/16"]
  }
}

Remove a Control Plane Firewall

To disable the control plane firewall and restore unrestricted access to the API server, set the firewall to disabled.

To remove an existing control plane firewall, use the doctl kubernetes cluster update command with the --enable-control-plane-firewall flag set to false. For example:

doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false

Send a PUT request to https://api.digitalocean.com/v2/kubernetes/clusters/<cluster_id> with enabled set to false:

curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/use_your_cluster_id' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "control_plane_firewall": {
        "enabled": false
    }
}'

To remove a control plane firewall with Godo, use the following code:

package main

import (
	"context"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("use_your_digitalocean_token")

	enabled := false
	_, _, _ = client.Kubernetes.Update(context.Background(), "use_your_cluster_id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
		},
	})
}

To remove an existing control plane firewall, set enabled to false in the control_plane_firewall block:

resource "digitalocean_kubernetes_cluster" "example" {
  name    = "example-cluster"
  region  = "nyc1"
  version = "1.33.1-do.0"

  node_pool {
    name       = "worker-pool"
    size       = "s-1vcpu-2gb"
    node_count = 3
  }

  control_plane_firewall {
    enabled           = false
    allowed_addresses = []
  }
}

We can't find any results for your search.

Try using different keywords or simplifying your search terms.