Chapter 9 Setting Access to externalIPs in Kubernetes Services

This chapter discusses setting access to externalIPs in Kubernetes services. For more information on externalIPs, see the upstream documentation at:

https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

When you deploy Kubernetes, a service is deployed to the cluster that controls access to externalIPs in Kubernetes services. The service is named externalip-validation-webhook-service and runs in the externalip-validation-system namespace.

After Kubernetes is deployed, you can see the service is running using:

kubectl get services --namespace externalip-validation-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE externalip-validation-webhook-service ClusterIP 10.100.79.236 <none> 443/TCP 15m

This Kubernetes service requires X.509 certificates be set up prior to deploying Kubernetes. You can use certificates generated by Vault, your own certificates, or generate certificates using the gen-certs-helper.sh script. For information on setting up these certificates, see Getting Started.

When you deploy Kubernetes, you need to provide the location of these certificates in the olcnectl module create command. Examples of creating a Kubernetes module and setting the certificate locations are shown in Section 2.1, “Creating a Kubernetes Module”.

9.1 Enabling Access to CIDR Blocks

You can optionally set the external IP addresses that can be accessed by Kubernetes services when you create the module. You use the --restrict-service-externalip-cidrs option of the olcnectl module create command to set this. In this example, the IP ranges that are allowed are within the 192.0.2.0/24 and 198.51.100.0/24 CIDR blocks.

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \
--restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \
--restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key \
--restrict-service-externalip-cidrs=192.0.2.0/24,198.51.100.0/24

9.2 Modifying Access to CIDR Blocks

If you have a Kubernetes module that has CIDR blocks configured to be allowed, you can modify this configuration using the --restrict-service-externalip-cidrs option of the olcnectl module update command. This allows you to change the CIDRS that are configured. For example, to set the CIDR block that can be accessed to 192.0.2.0/24 for an existing Kubernetes module:

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs=192.0.2.0/24

To remove access to any CIDR blocks, which means no access to externalIPs is allowed, set --restrict-service-externalip-cidrs option to null, for example:

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip-cidrs=""

9.3 Disabling Access to externalIPs

If you want to restrict Kubernetes services from accessing any externalIPs, do not you set any CIDR blocks that are allowed when you create the Kubernetes module. That is, do not use the --restrict-service-externalip-cidrs option of the olcnectl module create command. The externalip-validation-webhook-service Kubernetes service is deployed, but does not allow access to any externalIPs. For example:

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip-ca-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/ca.cert \
--restrict-service-externalip-tls-cert=/etc/olcne/configs/certificates/restrict_external_ip/production/node.cert \
--restrict-service-externalip-tls-key=/etc/olcne/configs/certificates/restrict_external_ip/production/node.key

If you have an existing Kubernetes module and you want to remove access to all CIDR blocks that may have been configured, update the module and set the --restrict-service-externalip-cidrs option to null as shown in Section 9.2, “Modifying Access to CIDR Blocks”.

9.4 Enabling Access to all externalIPs

If you want all Kubernetes services to be able to access all externalIPs, you can disable this feature using the --restrict-service-externalip=false option of the olcnectl module create command. Disabling this feature means that all Kubernetes services have access to all externalIPs in the cluster.

If you disable this feature, the externalip-validation-webhook-service Kubernetes service is not deployed to the cluster, which means no validation of external IP addresses is performed for Kubernetes services, and access is allowed for all CIDR blocks. For example, when you create a Kubernetes module, include the --restrict-service-externalip=false option:

olcnectl module create \
--environment-name myenvironment \
--module kubernetes \
--name mycluster \
...
--restrict-service-externalip=false 

You can disable this feature in a Kubernetes cluster by using the --restrict-service-externalip=false option of the olcnectl module update command. Modifying a Kubernetes module in this way removes the externalip-validation-webhook-service Kubernetes service from the cluster, so validation is not performed. For example:

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip=false 

Conversely, if you enable this feature in a Kubernetes cluster by using the --restrict-service-externalip=true option of the olcnectl module update command, the externalip-validation-webhook-service Kubernetes service is deployed to the cluster, so validation is then performed. For example:

olcnectl module update \
--environment-name myenvironment \
--name mycluster \
--restrict-service-externalip=true