Add support for IP/CIDR whitelisting of the incoming traffic #2139
Labels
enhancement
New feature or request
Comments
|
I think that makes sense, we could expose this configuration as follows: spec:
expose:
type: LoadBalancer
port: 65535
loadBalancerSourceRanges:
- 0.0.0.0/0We would then throw an error on the validating webhook if this element is specified with type=NodePort|Route |
|
Actually, a more generic solution such as the following would be more flexible. We can then configure the different expose types appropriately if supported (I haven't looked into the implementation details yet): spec:
expose:
type: LoadBalancer
port: 65535
sourceRanges:
- 0.0.0.0/0 |
|
I was thinking about the generic one as well, e.g. OC route supports whitelisting via |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
As an endpoint can be exposed towards the internet it is nice to be able to limit the access to a set of IPs and CIDRs. There are few expose types within ISPN operator configuration and hopefully all support IP whitelisting.
e.g. for the LoadBalancer It could be done by adding
loadBalancerSourceRangesto the External Service definition (works in EKS, AKS, GCP and likely OC.It used to be an easier option of using the annotation
service.beta.kubernetes.io/load-balancer-source-rangesbut it seem to be deprecated now and a recommendation is to use the spec.loadBalancerSourceRanges on the Service resource instead.Does it makes sense to add feature like this?
Thanks,
Andrey
The text was updated successfully, but these errors were encountered: