Reputation: 978
How to restrict access to an external load balancer's endpoint
I am very new to GCP. For now I have deployed a hello-world container in GKE. This hello-world is backed by an external load balancer, meaning that it is accessible to everyone on the internet provided they have its IP address.
I would like to restrict the access to this endpoint only to authenticated users (through Google SSO) that are part of my project or my organization. Is there a way to do so?
Upvotes: 0
Views: 1761
Answers (1)
Reputation: 473
You need to integrate IAP ( Identity-Aware Proxy )
When to use IAP
Use IAP when you want to enforce access control policies for applications and resources. IAP works with signed headers or the App Engine standard environment Users API to secure your app. With IAP, you can set up group-based application access: a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.
Enabling IAP for GKE
IAP is integrated through Ingress for GKE. This integration enables you to control resource-level access for employees instead of using a VPN.
In a GKE cluster, incoming traffic is handled by HTTP(S) Load Balancing, a component of Cloud Load Balancing. The HTTP(S) load balancer is typically configured by the Kubernetes Ingress controller. The Ingress controller gets configuration information from a Kubernetes Ingress object that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port.
Beginning with Kubernetes version 1.10.5-gke.3, you can add configuration for the load balancer by associating a Service with a BackendConfig object. BackendConfig is a custom resource definition (CRD) that is defined in the kubernetes/ingress-gce repository.
The Kubernetes Ingress controller reads configuration information from the BackendConfig and sets up the load balancer accordingly. A BackendConfig holds configuration information that is specific to Cloud Load Balancing, and enables you to define a separate configuration for each HTTP(S) Load Balancing backend service.
Upvotes: 2
Related Questions
- Limiting access by IP in kubernetes on GCP's GKE
- How do I restrict GCP load balancer access by domain, domain's IP or GKE ingress IP?
- K8s network policy restrict egress for one endpoint only
- How to limit IP Addresses that have access to kubernetes service?
- Block direct external IP access for GCP's HTTP Load Balancer
- How to restrict access to API Gateway from external GCP?
- Kubernetes Loadbalancer External IP expose to only specific cluster
- Can I limit source IP to a GCP Load Balancer created by Ingress
- GCP: Allowing Public Ingress Web Traffic from the Load Balancer ONLY
- Securing an exposed load balancer service in kubernetes