Configuring ingress cluster traffic using load balancer allowed source ranges
You can specify a list of IP address ranges for the IngressController
. This restricts access to the load balancer service when the endpointPublishingStrategy
is LoadBalancerService
.
Configuring load balancer allowed source ranges
You can enable and configure the spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges
field. By configuring load balancer allowed source ranges, you can limit the access to the load balancer for the Ingress Controller to a specified list of IP address ranges. The Ingress Operator reconciles the load balancer Service and sets the spec.loadBalancerSourceRanges
field based on AllowedSourceRanges
.
If you have already set the |
Prerequisites
- You have a deployed Ingress Controller on a running cluster.
Procedure
Set the allowed source ranges API for the Ingress Controller by running the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default \
--type=merge --patch='{"spec":{"endpointPublishingStrategy": \
{"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' (1)
1 The example value 0.0.0.0/0
specifies the allowed source range.
Migrating to load balancer allowed source ranges
If you have already set the annotation service.beta.kubernetes.io/load-balancer-source-ranges
, you can migrate to load balancer allowed source ranges. When you set the AllowedSourceRanges
, the Ingress Controller sets the spec.loadBalancerSourceRanges
field based on the AllowedSourceRanges
value and unsets the service.beta.kubernetes.io/load-balancer-source-ranges
annotation.
If you have already set the |
Prerequisites
- You have set the
service.beta.kubernetes.io/load-balancer-source-ranges
annotation.
Procedure
Ensure that the
service.beta.kubernetes.io/load-balancer-source-ranges
is set:$ oc get svc router-default -n openshift-ingress -o yaml
Example output
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/load-balancer-source-ranges: 192.168.0.1/32
Ensure that the
spec.loadBalancerSourceRanges
field is unset:$ oc get svc router-default -n openshift-ingress -o yaml
Example output
...
spec:
loadBalancerSourceRanges:
- 0.0.0.0/0
...
Update your cluster to OKD 4.12.
Set the allowed source ranges API for the
ingresscontroller
by running the following command:$ oc -n openshift-ingress-operator patch ingresscontroller/default \
--type=merge --patch='{"spec":{"endpointPublishingStrategy": \
{"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' (1)
1 The example value 0.0.0.0/0
specifies the allowed source range.