1. Kubernetes Module for Release 1.7
  2. Setting Access to externalIPs in Kubernetes Services

8 Setting Access to externalIPs in Kubernetes Services

This chapter discusses setting access to externalIPs in Kubernetes services. For more information on externalIPs, see the upstream Kubernetes documentation.

When you deploy Kubernetes, a service is deployed to the cluster that controls access to externalIPs in Kubernetes services. The service is named externalip-validation-webhook-service and runs in the externalip-validation-system namespace.

After Kubernetes is deployed, you can see the service is running using: 

kubectl get services --namespace externalip-validation-system

The output looks similar to:

NAME                                    TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
externalip-validation-webhook-service   ClusterIP   10.100.79.236   <none>        443/TCP   15m

This Kubernetes service requires X.509 certificates be set up before deploying Kubernetes. You can use certificates generated by Vault, CA Certificates, or generate certificates using the gen-certs-helper.sh script. For information on setting up these certificates, see Getting Started.

When you deploy Kubernetes, you need to provide the location of these certificates in the olcnectl module create command. Examples of creating a Kubernetes module and setting the certificate locations are shown in Creating a Kubernetes Module.

Enabling Access to CIDR Blocks

You can optionally set the external IP addresses that can be accessed by Kubernetes services when you create the module. You use the --restrict-service-externalip-cidrs option of the olcnectl module create command to set this. In this example, the IP ranges that are allowed are within the 192.0.2.0/24 and 198.51.100.0/24 CIDR blocks. 

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \
--restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \
--restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key \
--restrict-service-externalip-cidrs 192.0.2.0/24,198.51.100.0/24

Changing Access to CIDR Blocks

If you have a Kubernetes module that has CIDR blocks configured to be allowed, you can change this configuration using the --restrict-service-externalip-cidrs option of the olcnectl module update command. This lets you change the CIDRS that are configured. For example, to set the CIDR block that can be accessed to 192.0.2.0/24 for an existing Kubernetes module: 

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs 192.0.2.0/24

To remove access to any CIDR blocks, which means no access to externalIPs is allowed, set --restrict-service-externalip-cidrs option to null, for example: 

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs ""

Disabling Access to externalIPs

To restrict Kubernetes services from accessing any externalIPs, don't you set any CIDR blocks that are allowed when you create the Kubernetes module. So, don't use the --restrict-service-externalip-cidrs option of the olcnectl module create command. The externalip-validation-webhook-service Kubernetes service is deployed, but doesn't allow access to any externalIPs. For example: 

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert /etc/olcne/certificates/restrict_external_ip/ca.cert \
--restrict-service-externalip-tls-cert /etc/olcne/certificates/restrict_external_ip/node.cert \
--restrict-service-externalip-tls-key /etc/olcne/certificates/restrict_external_ip/node.key

If you have an existing Kubernetes module and you want to remove access to all configured CIDR blocks, you update the module and set the --restrict-service-externalip-cidrs option to null as shown in Changing Access to CIDR Blocks.

Enabling Access to all externalIPs

If you want all Kubernetes services to access all externalIPs, you can disable this feature using the --restrict-service-externalip false option of the olcnectl module create command. Disabling this feature means that all Kubernetes services have access to all externalIPs in the cluster.

If you disable this feature, the externalip-validation-webhook-service Kubernetes service isn't deployed to the cluster, which means no validation of external IP addresses is performed for Kubernetes services, and access is allowed for all CIDR blocks. For example, when you create a Kubernetes module, include the --restrict-service-externalip false option: 

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip false

You can disable this feature in a Kubernetes cluster by using the --restrict-service-externalip false option of the olcnectl module update command. Changing a Kubernetes module in this way removes the externalip-validation-webhook-service Kubernetes service from the cluster, so validation isn't performed. For example: 

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip false

Conversely, if you enable this feature in a Kubernetes cluster by using the --restrict-service-externalip true option of the olcnectl module update command, the externalip-validation-webhook-service Kubernetes service is deployed to the cluster, so validation is then performed. For example: 

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip true