8 Setting Access to externalIPs in Kubernetes Services
This chapter discusses setting access to externalIPs in Kubernetes
services. For more information on externalIPs, see the upstream Kubernetes documentation.
When you deploy Kubernetes, a service is deployed to the cluster that
controls access to externalIPs in Kubernetes
services. The service is named
externalip-validation-webhook-service and runs in
the externalip-validation-system namespace.
After Kubernetes is deployed, you can see the service is running using:
kubectl get services --namespace externalip-validation-systemThe output looks similar to:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
externalip-validation-webhook-service ClusterIP 10.100.79.236 <none> 443/TCP 15m This Kubernetes service requires X.509 certificates be set up before deploying Kubernetes.
You can use certificates generated by Vault, CA Certificates, or generate certificates using
the gen-certs-helper.sh script. For information on setting up these
certificates, see Installation.
When you deploy Kubernetes, you need to provide the location of these certificates in the
olcnectl module create command. Examples of creating a Kubernetes module
and setting the certificate locations are shown in Creating a Kubernetes Module.
Enabling Access to CIDR Blocks
You can optionally set the external IP addresses that can be accessed by Kubernetes services
when you create the module. You use the --restrict-service-externalip-cidrs
option of the olcnectl module create command to set this. In this example,
the IP ranges that are allowed are within the 192.0.2.0/24 and
198.51.100.0/24 CIDR blocks.
olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \
--restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \
--restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key \
--restrict-service-externalip-cidrs 192.0.2.0/24,198.51.100.0/24Changing Access to CIDR Blocks
If you have a Kubernetes module that has CIDR blocks configured to be allowed, you can
change this configuration using the --restrict-service-externalip-cidrs
option of the olcnectl module update command. This lets you change the CIDRS
that are configured. For example, to set the CIDR block that can be accessed to
192.0.2.0/24 for an existing Kubernetes module:
olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs 192.0.2.0/24
To remove access to any CIDR blocks, which means no access to
externalIPs is allowed, set
--restrict-service-externalip-cidrs option to
null, for example:
olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs ""Disabling Access to externalIPs
To restrict Kubernetes services from accessing any externalIPs, don't you
set any CIDR blocks that are allowed when you create the Kubernetes module. So, don't use the
--restrict-service-externalip-cidrs option of the olcnectl module
create command. The externalip-validation-webhook-service
Kubernetes service is deployed, but doesn't allow access to any externalIPs.
For example:
olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \
--restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \
--restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key If you have an existing Kubernetes module and you want to remove access to all configured
CIDR blocks, you update the module and set the
--restrict-service-externalip-cidrs option to null as shown in Changing Access to CIDR Blocks.
Enabling Access to all externalIPs
If you want all Kubernetes services to access all externalIPs, you can
disable this feature using the --restrict-service-externalip false option of
the olcnectl module create command. Disabling this feature means that all
Kubernetes services have access to all externalIPs in the cluster.
If you disable this feature, the externalip-validation-webhook-service
Kubernetes service isn't deployed to the cluster, which means no validation of external IP
addresses is performed for Kubernetes services, and access is allowed for all CIDR blocks. For
example, when you create a Kubernetes module, include the
--restrict-service-externalip false option:
olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip false You can disable this feature in a Kubernetes cluster by using the
--restrict-service-externalip false option of the olcnectl module
update command. Changing a Kubernetes module in this way removes the
externalip-validation-webhook-service Kubernetes service from the cluster,
so validation isn't performed. For example:
olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip false Conversely, if you enable this feature in a Kubernetes cluster by using the
--restrict-service-externalip true option of the olcnectl module
update command, the externalip-validation-webhook-service
Kubernetes service is deployed to the cluster, so validation is then performed. For example:
olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip true