The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

4.8.3 Disabling Access to externalIPs

If you want to restrict Kubernetes services from accessing any externalIPs, do not you set any CIDR blocks that are allowed when you create the Kubernetes module. That is, do not use the --restrict-service-externalip-cidrs option of the olcnectl module create command. The externalip-validation-webhook-service Kubernetes service is deployed, but does not allow access to any externalIPs. For example: 

$ olcnectl --api-server 127.0.0.1:8091 module create \
  --environment-name myenvironment \
  --module kubernetes \
  --name mycluster \
  ...
  --restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \
  --restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \
  --restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key

If you have an existing Kubernetes module and you want to remove access to all CIDR blocks that may have been configured, update the module and set the --restrict-service-externalip-cidrs option to null as shown in Section 4.8.2, “Modifying Access to CIDR Blocks”.

Copyright © 2019, 2021, Oracle and/or its affiliates. All rights reserved. Legal Notices