DigitalOcean Kubernetes (DOKS) is a managed Kubernetes service. Deploy Kubernetes clusters with a fully managed control plane, high availability, autoscaling, and native integration with DigitalOcean Load Balancers and volumes. You can add node pools using shared and dedicated CPUs, and NVIDIA H100 GPUs in a single GPU or 8 GPU configuration. DOKS clusters are compatible with standard Kubernetes toolchains and the DigitalOcean API and CLI.
Control plane firewalls are in Early Availability for select DOKS customers. The feature improves security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane.
The first time you enable the control plane firewall, you may see the following ephemeral effects:
WATCH requests that are forcefully terminated by the API server after a maximum period of 30 minutes.To add a control plane firewall when creating a cluster with doctl kubernetes cluster create, set the --enable-control-plane-firewall flag to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag.
The following example creates a cluster named example-cluster in the nyc1 region with a node pool using Kubernetes version 1.30.1-do.0 with a firewall added to the control plane.
doctl kubernetes cluster create example-cluster --region nyc1 --version 1.30.1-do.0` --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"
To add a control plane firewall to an existing cluster, use the doctl kubernetes cluster update command. Set the --enable-control-plane-firewall flag set to true and specify the IP addresses in the --control-plane-firewall-allowed-addresses flag. For example:
doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16"
You may experience a brief disruption to the API server as your cluster reconfigures to use the firewall.
To remove an existing control plane firewall, use the doctl kubernetes cluster update command with the --enable-control-plane-firewall flag set to false. For example:
doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false
Add a control plane firewall to a cluster using the DigitalOcean API with cURL or Go.
To add a control plane firewall when creating a cluster, send a POST request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:
curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
"name": "fw-create-test-1",
"region": "syd1",
"version": "1.30.1-do.0",
"node_pools": [
{
"size": "s-1vcpu-2gb",
"count": 3,
"name": "worker-pool"
}
],
"control_plane_firewall": {
"enabled": true,
"allowed_addresses": [
"1.2.3.4/32",
"4.3.2.1"
]
}
}'
To add a control plane firewall to an existing cluster, send a PUT request to https://api.digitalocean.com/v2/kubernetes/clusters with the following request body:
curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/{cluster_id}' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \
--data '{
"control_plane_firewall": {
"enabled": true,
"allowed_addresses": [
"1.2.3.4"
]
}
}'
Go developers can use Godo, the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code:
package main
import (
"context"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := true
_, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{
Name: "control-plane-firewall-godo",
RegionSlug: "nyc1",
VersionSlug: "1.30.1-do.0",
NodePools: []*godo.KubernetesNodePoolCreateRequest{
{
Name: "worker-pool",
Count: 3,
Size: "s-1vcpu-2gb",
},
},
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
"4.3.2.1",
},
},
})
}
To add a control plane firewall to an existing cluster with Godo, use the following code:
package main
import (
"context"
"fmt"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := true
_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
},
},
})
}
To remove a control plane firewall, set the enabled flag to false. For example, use the following code with Godo:
package main
import (
"context"
"fmt"
"github.com/digitalocean/godo"
)
func main() {
client := godo.NewFromToken("your-digitalocean-token")
enabled := false
_, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{
ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{
Enabled: &enabled,
AllowedAddresses: []string{
"1.2.3.4/32",
},
},
})
}