Optimize Firewall Rules for k3s Cluster: Minimum Required Ports for Secure Operation

[wanGiB]

I'm currently using the following permissive firewall configuration to ensure my k3s cluster functions properly. However, I'm concerned about the security risks of having all incoming and outgoing traffic allowed on all ports. Could you advise on the minimum set of ports that should be opened for a k3s cluster to operate securely and efficiently? Here's the current configuration on hetzner cloud:

resource "hcloud_firewall" "k8s_firewall" {
  name = "k8s-firewall"

  # Allow all incoming TCP traffic on all ports
  rule {
    description   = "Allow all incoming TCP traffic"
    direction     = "in"
    protocol      = "tcp"
    port          = "1-65535"
    source_ips    = ["0.0.0.0/0", "::/0"]
  }

  # Allow all incoming UDP traffic on all ports
  rule {
    description   = "Allow all incoming UDP traffic"
    direction     = "in"
    protocol      = "udp"
    port          = "1-65535"
    source_ips    = ["0.0.0.0/0", "::/0"]
  }

  # Allow all outgoing TCP traffic on all ports
  rule {
    description   = "Allow all outgoing TCP traffic"
    direction     = "out"
    protocol      = "tcp"
    port          = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

  # Allow all outgoing UDP traffic on all ports
  rule {
    description   = "Allow all outgoing UDP traffic"
    direction     = "out"
    protocol      = "udp"
    port          = "1-65535"
    destination_ips = ["0.0.0.0/0", "::/0"]
  }

}

What would be the recommended minimal port configuration to enhance security while maintaining functionality?