I'm planning a kubernetes cluster (to be created on public cloud infrastructure). One important question: Should worker nodes be exposed to internet (have public IP)? I suppose they shouldn't but I wonder what is the best practice. Thanks.
From a security perspective it is always wise to limit the number of publicly reachable nodes as much as possible and there are multiple ways to achieve that.
The most common and easiest way is that you could place your worker nodes behind a LB solution of your cloud provider. The LB is publicly reachable, but your nodes won't be.
If you cannot or don't want to use a LB of your provider, you could also assign some worker nodes as publicly reachable edge routers, which will run ingress pods. The ingresses then act as LBs to your private worker nodes. However, the edge router nodes should ideally only run the ingress pods, in order to have a better isolation of your main container infrastructure from publicly reachable nodes (this can be configured via labels).