Configuring ingress cluster traffic using load balancer allowed source ranges

You can specify a list of IP address ranges for the IngressController. This restricts access to the load balancer service when the endpointPublishingStrategy is LoadBalancerService.

Configuring load balancer allowed source ranges

You can enable and configure the spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges field. By configuring load balancer allowed source ranges, you can limit the access to the load balancer for the Ingress Controller to a specified list of IP address ranges. The Ingress Operator reconciles the load balancer Service and sets the spec.loadBalancerSourceRanges field based on AllowedSourceRanges.

If you have already set the spec.loadBalancerSourceRanges field or the load balancer service anotation service.beta.kubernetes.io/load-balancer-source-ranges in a previous version of OKD, Ingress Controller starts reporting Progressing=True after an upgrade. To fix this, set AllowedSourceRanges that overwrites the spec.loadBalancerSourceRanges field and clears the service.beta.kubernetes.io/load-balancer-source-ranges annotation. Ingress Controller starts reporting Progressing=False again.

Prerequisites

  • You have a deployed Ingress Controller on a running cluster.

Procedure

  • Set the allowed source ranges API for the Ingress Controller by running the following command:

    1. $ oc -n openshift-ingress-operator patch ingresscontroller/default \
    2. --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
    3. {"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' (1)
    1The example value 0.0.0.0/0 specifies the allowed source range.

Migrating to load balancer allowed source ranges

If you have already set the annotation service.beta.kubernetes.io/load-balancer-source-ranges, you can migrate to load balancer allowed source ranges. When you set the AllowedSourceRanges, the Ingress Controller sets the spec.loadBalancerSourceRanges field based on the AllowedSourceRanges value and unsets the service.beta.kubernetes.io/load-balancer-source-ranges annotation.

If you have already set the spec.loadBalancerSourceRanges field or the load balancer service anotation service.beta.kubernetes.io/load-balancer-source-ranges in a previous version of OKD, the Ingress Controller starts reporting Progressing=True after an upgrade. To fix this, set AllowedSourceRanges that overwrites the spec.loadBalancerSourceRanges field and clears the service.beta.kubernetes.io/load-balancer-source-ranges annotation. The Ingress Controller starts reporting Progressing=False again.

Prerequisites

  • You have set the service.beta.kubernetes.io/load-balancer-source-ranges annotation.

Procedure

  1. Ensure that the service.beta.kubernetes.io/load-balancer-source-ranges is set:

    1. $ oc get svc router-default -n openshift-ingress -o yaml

    Example output

    1. apiVersion: v1
    2. kind: Service
    3. metadata:
    4. annotations:
    5. service.beta.kubernetes.io/load-balancer-source-ranges: 192.168.0.1/32
  2. Ensure that the spec.loadBalancerSourceRanges field is unset:

    1. $ oc get svc router-default -n openshift-ingress -o yaml

    Example output

    1. ...
    2. spec:
    3. loadBalancerSourceRanges:
    4. - 0.0.0.0/0
    5. ...
  3. Update your cluster to OKD 4.12.

  4. Set the allowed source ranges API for the ingresscontroller by running the following command:

    1. $ oc -n openshift-ingress-operator patch ingresscontroller/default \
    2. --type=merge --patch='{"spec":{"endpointPublishingStrategy": \
    3. {"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}' (1)
    1The example value 0.0.0.0/0 specifies the allowed source range.

Additional resources