The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
Chapter 8 Setting Access to externalIPs in Kubernetes Services
This chapter discusses setting access to
externalIPs
in Kubernetes services. For more
information on externalIPs
, see the upstream
documentation at:
https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
When you deploy Kubernetes, a service is deployed to the cluster that
controls access to externalIPs
in Kubernetes
services. The service is named
externalip-validation-webhook-service
and runs in
the externalip-validation-system
namespace.
After Kubernetes is deployed, you can see the service is running using:
kubectl get services --namespace externalip-validation-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE externalip-validation-webhook-service ClusterIP 10.100.79.236 <none> 443/TCP 15m
This Kubernetes service requires X.509 certificates be set up prior
to deploying Kubernetes. You can use certificates generated by
Vault, your own certificates, or generate certificates using the
gen-certs-helper.sh
script. For information on
setting up these certificates, see
Getting Started.
When you deploy Kubernetes, you need to provide the location of these certificates in the olcnectl module create command. Examples of creating a Kubernetes module and setting the certificate locations are shown in Section 2.1, “Creating a Kubernetes Module”.
8.1 Enabling Access to CIDR Blocks
You can optionally set the external IP addresses that can be
accessed by Kubernetes services when you create the module. You
use the --restrict-service-externalip-cidrs
option of the olcnectl module create command to
set this. In this example, the IP ranges that are allowed are
within the 192.0.2.0/24
and
198.51.100.0/24
CIDR blocks.
olcnectl module create \ --environment-name myenvironment \ --module kubernetes \ --name mycluster \ ... --restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \ --restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \ --restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key \ --restrict-service-externalip-cidrs 192.0.2.0/24,198.51.100.0/24
8.2 Modifying Access to CIDR Blocks
If you have a Kubernetes module that has CIDR blocks
configured to be allowed, you can modify this configuration using
the --restrict-service-externalip-cidrs
option
of the olcnectl module update command. This
allows you to change the CIDRS that are configured. For example,
to set the CIDR block that can be accessed to
192.0.2.0/24
for an existing
Kubernetes module:
olcnectl module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip-cidrs 192.0.2.0/24
To remove access to any CIDR blocks, which means no access to
externalIPs
is allowed, set
--restrict-service-externalip-cidrs
option to
null, for example:
olcnectl module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip-cidrs ""
8.3 Disabling Access to externalIPs
If you want to restrict Kubernetes services from accessing any
externalIPs
, do not you set any CIDR blocks
that are allowed when you create the
Kubernetes module. That is, do not use the
--restrict-service-externalip-cidrs
option of
the olcnectl module create command. The
externalip-validation-webhook-service
Kubernetes service is deployed, but does not allow access to any
externalIPs
. For example:
olcnectl module create \ --environment-name myenvironment \ --module kubernetes \ --name mycluster \ ... --restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \ --restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \ --restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key
If you have an existing Kubernetes module and you
want to remove access to all CIDR blocks that may have been
configured, update the module and set the
--restrict-service-externalip-cidrs
option to
null as shown in Section 8.2, “Modifying Access to CIDR Blocks”.
8.4 Enabling Access to all externalIPs
If you want all Kubernetes services to be able to access all
externalIPs
, you can disable this feature using
the --restrict-service-externalip false
option
of the olcnectl module create command.
Disabling this feature means that all Kubernetes services have
access to all externalIPs
in the cluster.
If you disable this feature, the
externalip-validation-webhook-service
Kubernetes service is not deployed to the cluster, which means no
validation of external IP addresses is performed for Kubernetes
services, and access is allowed for all CIDR blocks. For example,
when you create a Kubernetes module, include the
--restrict-service-externalip false
option:
olcnectl module create \ --environment-name myenvironment \ --module kubernetes \ --name mycluster \ ... --restrict-service-externalip false
You can disable this feature in a Kubernetes cluster by using the
--restrict-service-externalip false
option of
the olcnectl module update command. Modifying a
Kubernetes module in this way removes the
externalip-validation-webhook-service
Kubernetes service from the cluster, so validation is not
performed. For example:
olcnectl module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip false
Conversely, if you enable this feature in a Kubernetes cluster by
using the --restrict-service-externalip true
option of the olcnectl module update command,
the externalip-validation-webhook-service
Kubernetes service is deployed to the cluster, so validation is
then performed. For example:
olcnectl module update \ --environment-name myenvironment \ --name mycluster \ --restrict-service-externalip true