Network Topology¶
Overview¶
The network architecture implements defense-in-depth with multiple security layers and zero-trust principles for external access.
Network Diagram¶
graph TB
subgraph Internet
CF[Cloudflare Edge]
end
subgraph DMZ
PF[pfSense Firewall]
end
subgraph Internal Network
subgraph Management VLAN
Proxmox[Proxmox VE]
end
subgraph Kubernetes VLAN
Master[K3s Master]
W1[Worker 1]
W2[Worker 2]
W3[Worker 3]
W4[Worker 4]
end
subgraph Storage VLAN
NAS[Storage]
end
end
CF -.->|Tunnel| PF
PF --> Master
Master --> W1
Master --> W2
Master --> W3
Master --> W4
W1 --> NAS
W2 --> NAS
W3 --> NAS
W4 --> NASExternal Access¶
Cloudflare Tunnel¶
All external access routes through Cloudflare Tunnel, eliminating the need for open inbound ports.
Benefits:
- No exposed ports on firewall
- DDoS protection at edge
- Automatic SSL/TLS
- Zero-trust access control
Exposed Services:
| Hostname | Service | Port |
|---|---|---|
ajandrews.pro |
Hub Web | 80 |
api.ajandrews.pro |
Hub API | 8080 |
grafana.ajandrews.pro |
Grafana | 3000 |
kibana.ajandrews.pro |
Kibana | 5601 |
prometheus.ajandrews.pro |
Prometheus | 9090 |
argocd.ajandrews.pro |
ArgoCD | 443 |
Kubernetes Networking¶
CNI: Flannel¶
K3s uses Flannel as the default CNI with VXLAN backend for pod-to-pod communication.
Service Types¶
| Type | Usage |
|---|---|
ClusterIP |
Internal services (default) |
NodePort |
Rarely used, only for debugging |
LoadBalancer |
Not applicable (no cloud LB) |
DNS¶
- Internal: CoreDNS for cluster DNS
- Service Discovery:
<service>.<namespace>.svc.cluster.local
Firewall Rules¶
Inbound (from Internet)¶
| Rule | Action |
|---|---|
| All inbound | BLOCKED |
| Cloudflare Tunnel | Outbound-initiated only |
Internal Rules¶
| Source | Destination | Ports | Action |
|---|---|---|---|
| K8s nodes | K8s nodes | All | Allow |
| K8s nodes | Storage | NFS/iSCSI | Allow |
| Management | All | SSH, HTTPS | Allow |
IP Addressing¶
Cluster Network¶
| Component | Range |
|---|---|
| Pod CIDR | 10.42.0.0/16 |
| Service CIDR | 10.43.0.0/16 |
| Node Network | Internal LAN |
Network Policies¶
Network policies are implemented at the namespace level for isolation:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
Traffic Flow¶
External Request Path¶
- User → Cloudflare Edge (HTTPS)
- Cloudflare → Tunnel endpoint (encrypted)
- Tunnel → Kubernetes Service (ClusterIP)
- Service → Pod (internal)
Internal Service Communication¶
- Pod A → CoreDNS (resolve service name)
- CoreDNS → Pod A (service IP)
- Pod A → Service IP (kube-proxy/iptables)
- Service → Pod B (load balanced)