The K3S documentation explains which ports are required for this kubernetes distribution to work.
What it does NOT explain is, which of these ports are OK to be open on a public interface.
K3S seem to deal with the following ports
Master
6443/tcp nodes
8472/udp flannel
10250/tcp kublet (metrics)
10251/tcp controller-manager
10255/tcp kublet (readonly)
Worker
10250/tcp kublet (metrics)
10255/tcp kublet (readonly)
30000-32767/tcp nodeports
Given the cluster nodes share their own subnet. It seems to make sense to bind the ports to the subnet interface (instead of the public interface). Unfortunately this is not exactly painless with K3S.
So before jumping through hoops:
Which of the ports above should be hidden from the public interface?
Which of the ports above are secured and maybe even required to available via public interface (e.g. access to the cluster via kubectl)?