How to Add a Control Plane Firewallprivate

Validated on 27 Jun 2024 • Last edited on 2 May 2025

DigitalOcean Kubernetes (DOKS) is a Kubernetes service with a fully managed control plane, high availability, and autoscaling. DOKS integrates with standard Kubernetes toolchains and DigitalOcean’s load balancers, volumes, CPU and GPU Droplets, API, and CLI.

Control plane firewalls improve security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.

The first time you enable the control plane firewall, you may see the following ephemeral effects:

  • Requests to the control plane may be disrupted.
  • Access rules may not be fully enforced.
  • Existing open connections continue to work until terminate. This includes WATCH requests that are forcefully terminated by the API server after a maximum period of 30 minutes.

Add a Control Plane Firewall Using the DigitalOcean CLI

To add a control plane firewall when creating a cluster with doctl kubernetes cluster create, set the --enable-control-plane-firewall flag to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag.

The following example creates a cluster named example-cluster in the nyc1 region with a node pool using Kubernetes version 1.30.1-do.0 with a firewall added to the control plane.

doctl kubernetes cluster create example-cluster --region nyc1 --version 1.30.1-do.0` --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"

To add a control plane firewall to an existing cluster, use the doctl kubernetes cluster update command. Set the --enable-control-plane-firewall flag set to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag. For example:

doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"

You may experience a brief disruption to the API server as your cluster reconfigures to use the firewall.

Remove a Control Plane Firewall Using the DigitalOcean CLI

To remove an existing control plane firewall, use the doctl kubernetes cluster update command with the --enable-control-plane-firewall flag set to false. For example:

doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false

Add a Control Plane Firewall Using the DigitalOcean API

Add a control plane firewall to a cluster using the DigitalOcean API with cURL or Go.

To add a control plane firewall when creating a cluster, send a POST request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:

curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "name": "fw-create-test-1",
    "region": "syd1",
    "version": "1.30.1-do.0",
    "node_pools": [
        {
            "size": "s-1vcpu-2gb",
            "count": 3,
            "name": "worker-pool"
        }
    ],
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4/32",
            "4.3.2.1"
        ]
    }
}'

To add a control plane firewall to an existing cluster, send a PUT request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:

curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/{cluster_id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
    "control_plane_firewall": {
        "enabled": true,
        "allowed_addresses": [
            "1.2.3.4"
        ]
    }
}'

Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code:

package main

import (
	"context"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := true
	_, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{
		Name:        "control-plane-firewall-godo",
		RegionSlug:  "nyc1",
		VersionSlug: "1.30.1-do.0",
		NodePools: []*godo.KubernetesNodePoolCreateRequest{
			{
				Name:  "worker-pool",
				Count: 3,
				Size:  "s-1vcpu-2gb",
			},
		},
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
				"4.3.2.1",
			},
		},
	})
}

To add a control plane firewall to an existing cluster with Godo, use the following code:

package main

import (
	"context"
	"fmt"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := true
	_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
			},
		},
	})
}

Remove a Control Plane Firewall Using the DigitalOcean API

To remove a control plane firewall, set the enabled flag to false. For example, use the following code with Godo:

package main

import (
	"context"
	"fmt"

	"github.com/digitalocean/godo"
)

func main() {
	client := godo.NewFromToken("your-digitalocean-token")

	enabled := false
	_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
		ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
			Enabled: &enabled,
			AllowedAddresses: []string{
				"1.2.3.4/32",
			},
		},
	})
}

We can't find any results for your search.

Try using different keywords or simplifying your search terms.