# How to Add a Control Plane Firewall (private) DigitalOcean Kubernetes (DOKS) is a Kubernetes service with a fully managed control plane, high availability, and autoscaling. DOKS integrates with standard Kubernetes toolchains and DigitalOcean’s load balancers, volumes, CPU and GPU Droplets, API, and CLI. **Note**: Control plane firewalls are in [private preview](https://docs.digitalocean.com/platform/product-lifecycle/index.html.md). Control plane firewalls improve security and traffic for your cluster. Once enabled, only configured IP addresses, cluster worker nodes and workloads, and internal systems that manage the cluster (such as cluster upgrades) can access the control plane. The first time you enable the control plane firewall, you may see the following ephemeral effects: - Requests to the control plane may be disrupted. - Access rules may not be fully enforced. - Existing open connections continue to work until terminate. This includes `WATCH` requests that are forcefully terminated by the API server after a maximum period of 30 minutes. ## Add a Control Plane Firewall Using the DigitalOcean CLI To add a control plane firewall when creating a cluster with `doctl kubernetes cluster create`, set the `--enable-control-plane-firewall` flag to `true` and specify the IP addresses in the `--control-plane-firewall-allowed-addresses` flag. The following example creates a cluster named `example-cluster` in the `nyc1` region with a node pool using Kubernetes version `1.30.1-do.0` with a firewall added to the control plane. ```shell doctl kubernetes cluster create example-cluster --region nyc1 --version 1.30.1-do.0` --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16" ``` To add a control plane firewall to an existing cluster, use the `doctl kubernetes cluster update` command. Set the `--enable-control-plane-firewall` flag set to `true` and specify the IP addresses in the `--control-plane-firewall-allowed-addresses` flag. For example: ```shell doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=true --control-plane-firewall-allowed-addresses="1.2.3.4/32, 1.1.0.0/16" ``` You may experience a brief disruption to the API server as your cluster reconfigures to use the firewall. ## Remove a Control Plane Firewall Using the DigitalOcean CLI To remove an existing control plane firewall, use the `doctl kubernetes cluster update` command with the `--enable-control-plane-firewall` flag set to `false`. For example: ```shell doctl kubernetes cluster update example-cluster --enable-control-plane-firewall=false ``` ## Add a Control Plane Firewall Using the DigitalOcean API Add a control plane firewall to a cluster using the DigitalOcean API with cURL or Go. ## cURL To add a control plane firewall when creating a cluster, send a `POST` request to `https://api.digitalocean.com/v2/kubernetes/clusters` with the following request body: ```shell curl --location 'https://api.digitalocean.com/v2/kubernetes/clusters' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \ --data '{ "name": "fw-create-test-1", "region": "syd1", "version": "1.30.1-do.0", "node_pools": [ { "size": "s-1vcpu-2gb", "count": 3, "name": "worker-pool" } ], "control_plane_firewall": { "enabled": true, "allowed_addresses": [ "1.2.3.4/32", "4.3.2.1" ] } }' ``` To add a control plane firewall to an existing cluster, send a `PUT` request to `https://api.digitalocean.com/v2/kubernetes/clusters` with the following request body: ```shell curl --location --request PUT 'https://api.digitalocean.com/v2/kubernetes/clusters/{cluster_id}' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer $DIGITALOCEAN_TOKEN' \ --data '{ "control_plane_firewall": { "enabled": true, "allowed_addresses": [ "1.2.3.4" ] } }' ``` ## Go Go developers can use [Godo](https://github.com/digitalocean/godo), the official DigitalOcean V2 API client for Go. To add a control plane firewall when creating a Kubernetes cluster with Godo, use the following code: ```go package main import ( "context" "github.com/digitalocean/godo" ) func main() { client := godo.NewFromToken("your-digitalocean-token") enabled := true _, _, _ = client.Kubernetes.Create(context.Background(), &godo.KubernetesClusterCreateRequest{ Name: "control-plane-firewall-godo", RegionSlug: "nyc1", VersionSlug: "1.30.1-do.0", NodePools: []*godo.KubernetesNodePoolCreateRequest{ { Name: "worker-pool", Count: 3, Size: "s-1vcpu-2gb", }, }, ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{ Enabled: &enabled, AllowedAddresses: []string{ "1.2.3.4/32", "4.3.2.1", }, }, }) } ``` To add a control plane firewall to an existing cluster with Godo, use the following code: ```go package main import ( "context" "fmt" "github.com/digitalocean/godo" ) func main() { client := godo.NewFromToken("your-digitalocean-token") enabled := true _, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{ ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{ Enabled: &enabled, AllowedAddresses: []string{ "1.2.3.4/32", }, }, }) } ``` ## Remove a Control Plane Firewall Using the DigitalOcean API To remove a control plane firewall, set the `enabled` flag to `false`. For example, use the following code with Godo: ```go package main import ( "context" "fmt" "github.com/digitalocean/godo" ) func main() { client := godo.NewFromToken("your-digitalocean-token") enabled := false _, _, _ = client.Kubernetes.Update(context.Background(), "your-cluster-id", &godo.KubernetesClusterUpdateRequest{ ControlPlaneFirewall: &godo.KubernetesControlPlaneFirewall{ Enabled: &enabled, AllowedAddresses: []string{ "1.2.3.4/32", }, }, }) } ```