The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
This chapter discusses setting access to
externalIPs
in Kubernetes services. For more
information on externalIPs
, see the upstream
documentation at:
https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
When you deploy Kubernetes, a service is deployed to the cluster that
controls access to externalIPs
in Kubernetes
services. The service is named
externalip-validation-webhook-service
and runs
in the externalip-validation-system
namespace.
After Kubernetes is deployed, you can see the service is running using:
$ kubectl get services --namespace externalip-validation-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
externalip-validation-webhook-service ClusterIP 10.100.79.236 <none> 443/TCP 15m
This Kubernetes service requires X.509 certificates be set up
prior to deploying Kubernetes. You can use certificates generated
by Vault, your own certificates, or generate certificates using
the gen-certs-helper.sh
script. For information
on setting up these certificates, see
Section 3.6, “Setting up X.509 Certificates for the externalIPs
Kubernetes Service”.
When you deploy Kubernetes, you need to provide the location of these certificates in the olcnectl module create command. An examples of creating a Kubernetes module and setting the certificate locations is shown in Section 4.2, “Adding Kubernetes to an Environment”.
You can optionally set the external IP addresses that can be
accessed by Kubernetes services when you create the module. You
use the --restrict-service-externalip-cidrs
option of the olcnectl module create command
to set this. In this example, the IP ranges that are allowed are
within the 192.0.2.0/24
and
198.51.100.0/24
CIDR blocks.
$ olcnectl --api-server 127.0.0.1:8091 module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \
--restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \
--restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key \
--restrict-service-externalip-cidrs=192.0.2.0/24,198.51.100.0/24