Master traffic inspection


I have a requirement to firewall off and inspect all incoming and outgoing traffic from the Kubernetes masters in the cluster.

I believe I can achieve this by routing the incoming API Server traffic through a proxy and then to the unencrypted port.
But I am unclear on how I would achieve this with the API-server -> Kubelet traffic.

I am also unclear if there is any other traffic (such as CoreDNS traffic) which goes between the masters and the nodes, I’m also unclear on whether the POD CIDR traffic and service traffic must traverse the firewall also.

Any help would be appreciated.

Thanks .