The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

4.8 Setting Access to externalIPs in Kubernetes Services

4.8.1 Enabling Access to CIDR Blocks
4.8.2 Modifying Access to CIDR Blocks
4.8.3 Disabling Access to externalIPs
4.8.4 Enabling Access to all externalIPs

This chapter discusses setting access to externalIPs in Kubernetes services. For more information on externalIPs, see the upstream documentation at:

https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

When you deploy Kubernetes, a service is deployed to the cluster that controls access to externalIPs in Kubernetes services. The service is named externalip-validation-webhook-service and runs in the externalip-validation-system namespace.

After Kubernetes is deployed, you can see the service is running using: 

$ kubectl get services --namespace externalip-validation-system
NAME                                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
externalip-validation-webhook-service   ClusterIP   10.100.79.236   <none>        443/TCP   15m

This Kubernetes service requires X.509 certificates be set up prior to deploying Kubernetes. You can use certificates generated by Vault, your own certificates, or generate certificates using the gen-certs-helper.sh script. For information on setting up these certificates, see Section 3.6, “Setting up X.509 Certificates for the externalIPs Kubernetes Service”.

When you deploy Kubernetes, you need to provide the location of these certificates in the olcnectl module create command. An examples of creating a Kubernetes module and setting the certificate locations is shown in Section 4.2, “Adding Kubernetes to an Environment”.

4.8.1 Enabling Access to CIDR Blocks

You can optionally set the external IP addresses that can be accessed by Kubernetes services when you create the module. You use the --restrict-service-externalip-cidrs option of the olcnectl module create command to set this. In this example, the IP ranges that are allowed are within the 192.0.2.0/24 and 198.51.100.0/24 CIDR blocks. 

$ olcnectl --api-server 127.0.0.1:8091 module create \
  --environment-name myenvironment \
  --module kubernetes \
  --name mycluster \
  ...
  --restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \
  --restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \
  --restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key \
  --restrict-service-externalip-cidrs=192.0.2.0/24,198.51.100.0/24

Copyright © 2019, 2021, Oracle and/or its affiliates. All rights reserved. Legal Notices