Reputation: 328
Restrict access to some Kubernetes services with a global IP whitelist
TLDR: need an IP whitelist that is updated every five minutes to restrict access to services
Hy there
I'm currently migrating our VMs into two Kubernetes clusters (prod and dev). Till now we have managed the access to our system with network access policies that are updated every five minutes. Every environment had its own VM and thus the setup of policies was easy. Our hosting partner is Open Telekom Cloud (OTC).
Now with Kubernetes we run multiple environments on one cluster and network access policies would affect all hosted environments on the cluster.
The dev cluster hosts Preview, Dev1, Stage, ... Preview should have no access restrictions, all other environments should be limited by an IP whitelist.
Is it possible to keep an global ip whitelist, that is updated every five minutes, to limit access to some services? Are the updates distributed automatically?
Would I do the limiting in ingresses or should I use networkPolicies
Is there another way to achieve this?
Greetings from Munich
Edit: Thanks a lot to @harsh-manvar
His solutions will help a lot on basically every managed Kubernetes service. Sadly we are restricted to the one from Telekom DE (OTC CCE)
- NetworkPolicies can not block IPs there
- The Ingress Controller implementation of OTC does not allow IP whitelisting (or blacklisting). They are on it thought (should hopefully be delivered in late 2022)
- Load balancer blocking does not work either
We ended up with an Web Application Firewall (150€/month per domain) that forwards/blocks requests based on the IP.
Upvotes: 2
Views: 1618
Answers (1)
Reputation: 30083
Is it possible to keep an global ip whitelist, that is updated every five minutes, to limit access to some services? Are the updates distributed automatically?
Yes, it is possible by managing the and whitelisting the traffic over the ingress or gateway (Istio, Kong, KrakenD) if you are using any
You can manage the YAML files with config or configuration management tool and CI/CD process to changes get apply each time so this way it will easy to manage also.
Would I do the limiting in ingresses or should I use networkPolicies
It's more depends on the requirement, If you want to control traffic flow at the IP address or port level (OSI layer 3 or 4), then you might consider using Kubernetes NetworkPolicies for particular applications in your cluster.
For ingress whitelisting
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "0.0.0.0/24"
Is there another way to achieve this?
You can also implement the load balancer source ranges filter at the K8s service level also.
Upvotes: 2
Related Questions
- NGINX ingress controller ip restriction for certain path
- Kubernetes Ingress Whitelist IP for path
- How to limit IP Addresses that have access to kubernetes service?
- How to add blocking IP rules on each nginx-ingress host
- How to expose tcp service in Kubernetes only for certain ip addresses?
- How to allow multiple IPs only on ingress
- Kubernetes Ingress Whitelist IP for host
- Istio - Block certain IPs to access services
- Kubernetes, NGINX: How to get fixed outgoing IP for Pods to whitelist them in external services
- Deny access to route outside of kubernetes cluster