How to limit IP Addresses that have access to kubernetes service?

Question

Is there any way to limit the access to Kubernetes Service of type LoadBalancer from outside the cluster?

I would like to expose my database's pod to the Internet using the LoadBalancer service that would be accessible only for my external IP address.

My Kubernetes cluster runs on GKE.

Answer 1

You can use loadBalancerSourceRanges to filter load balanced traffic as mentioned here.

Here is the simple example of Service in front of Nginx Ingress controllers:

apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: external
    app.kubernetes.io/name: ingress-nginx
  name: external-ingress-nginx-controller
  namespace: kube-ingress
spec:
  loadBalancerSourceRanges:
  - <YOUR_IP_1>
  - <YOUR_IP_2>
  - <YOUR_IP_3>
  ports:
  - name: https
    nodePort: 32293
    port: 443
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: external
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer

Answer 2

Yes, you can achieve that on Kubernetes level with a native Kubernetes Network Policy. There you can limit the Ingress traffic to your Kubernetes Service by specifying policies for the Ingress type. An example could be:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    ports:
    - protocol: TCP
      port: 6379

More information can be found in the official documentation.

If you already want to block traffic from unwanted IP addresses on Load Balancer level, you have to define firewall rules and apply them on your GCP load balancer. More information regarding the GCP firewall rules can also be found in the documentation.