docs: add a howto for configuring UFW

[ktsakalozos]

Description

We do not have a firewall configuration howto

Solution

Add a howto

Checklist

• PR title formatted as type: title
• Covered by unit tests
• Covered by integration tests
• Documentation updated
• CLA signed
• Backport label added if necessary

[nhennigan]

Thanks Kos! I think this is an important page that many users will need. I have left a few comments but they are mainly minor nits

[nhennigan]

Is there a reason you have to do it immediately? Is the timing important?

[ktsakalozos]

Here immediately means "without rebooting the system".

[nhennigan]

Do we need to install this on every node?

[ktsakalozos]

Yes, UFW needs to be installed on all nodes.

[nhennigan]

Suggestion instead of the negative version of this sentence:
If you are using the default network plugin, you should consider the following firewall rules:

[ktsakalozos]

Thank you.

[nhennigan]

Suggestion to make it clear which port is for which service:

Kubelet runs on all nodes, so allow traffic on port 10250 on all nodes:
//code here sudo ufw allow 10250/tcp
The kube-controller-manager and
kube-scheduler run only on the control plane nodes so allow traffic on ports 10257 and 10259 on control plane nodes:
//code here sudo ufw allow 10257/tcp sudo ufw allow 10259/tcp

[ktsakalozos]

Done

[nhennigan]

Suggested change

	To form an HA cluster the datastore used by Kubernetes (dqlite/etcd) needs
	To form a High Availability (HA) cluster the datastore used by Kubernetes (dqlite/etcd) needs

[nhennigan]

What can you learn form these logs? Which ports are trying to be accessed? Maybe we should add a comment here along the lines of "you should be able to see where the traffic is being dropped" or "this may help you identify any other ports or services you need to enable with UTW"

[louiseschmidtgen]

A couple of suggestions to improve the flow.

[louiseschmidtgen]

Suggested change

	In this how-to we present a set of firewall rules/guidelines
	you should consider when setting up {{product}}.
	This how-to presents a set of firewall rules/guidelines
	that should be considered when setting up {{product}}.

(let's use an active voice)

[louiseschmidtgen]

This sounds like a note can we format it accordingly please?
So starting with: ```{note}

[louiseschmidtgen]

Suggested change

	Be aware that these rules may be incompatible with your network setup
	and we recommend you review and tune them to match your needs.
	Please be aware that these rules may be incompatible with your network setup, so we recommend reviewing and adjusting them to match your needs.

(active voice + causal conjunction)

[louiseschmidtgen]

Suggested change

	Also, be aware that for each service hosted in Kubernetes,
	the firewall rules need to be reviewed as there might be
	special requirements for each.
	Also, please review the firewall rules for each service hosted in Kubernetes, as there might be
	special requirements for each.

[louiseschmidtgen]

Suggested change

	- A machine with Ubuntu where you have installed
	or you plan to install {{product}}.
	- You have root or sudo access to the machine.
	- An ubuntu machine where {{product}} is installed or will be installed.
	- Root or sudo access to the machine.

(active voice)

[louiseschmidtgen]

Suggested change

	If you are using the default network plugin (Cilium),
	you should consider the following firewall rules.
	When using the default network plugin (Cilium),
	consider the following firewall rules.

[louiseschmidtgen]

Suggested change

	This information may help you identify any other ports or services
	This information helps to identify any other ports or services

[louiseschmidtgen]

Suggested change

	To keep the resources used by UFW to a minimum you can disable logging:
	After troubleshooting, keep the resources used by UFW to a minimum by disabling logging again:

[louiseschmidtgen]

Suggested change

	Reload UFW:
	Reload UFW to apply the changes:

[louiseschmidtgen]

We could add a link to CoreDNS docs here.