inlets-operator icon indicating copy to clipboard operation
inlets-operator copied to clipboard

Published 20 hours ago verified publisher icon inlets

[Feature] Add support for loadBalancerSourceRanges

Open jsiebens opened this issue 3 years ago • 6 comments

Expected Behaviour

To configure a Load Balancer firewall, there is the option to use the Service's loadBalancerSourceRanges to define the ranges that should be allowed.

When possible, the provisioner could create firewall rules based on the ranges defined in loadBalancerSourceRanges

Example:

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
  - port: 8765
    targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 193.92.145.1/32
  - 193.92.145.2/32

With this example, a load balancer will be created that is only accessible to clients with IP addresses from 193.92.145.1 and 193.92.145.2.

Current Behaviour

The field loadBalancerSourceRanges is ignored.

Context

inlets-operator is great to expose some services to the public, but sometimes it could be useful to restrict access to the service based on CIDR ranges.

jsiebens avatar Sep 19 '20 06:09 jsiebens

Thanks for the suggestion, but Please sed inlets with "inlets-operator" :-)

And this feature request will only work with inlets PRO

alexellis avatar Sep 19 '20 08:09 alexellis

@alexellis, can you explain why this will only work with inlets PRO?

I was thinking about passing this source ranges to the provisioners. For example, the GCE provisioner already creates a firewall rule with a hardcoded source range 0.0.0.0/0 and the required ports (all for PRO, only 80 and 443 for OSS)

jsiebens avatar Sep 22 '20 15:09 jsiebens

Let me check that I understand you correctly then.

Are you asking to define a number of TCP ports that are exposed by the exit-server?

alexellis avatar Sep 22 '20 17:09 alexellis

It is more about IP CIDR blocks. Some cloud providers honor the loadBalancerSourceRanges field in the Service spec, which allows you to provide a list of IP CIDR blocks allowed to connect to the load balancer. Let's say someone wants to process webhook calls coming from a system with a known IP range for egress. That IP range could be whitelisted as an extra security measure. In case of the inlets-operator, such IP ranges can be used to create a firewall rule on the exit-node.

jsiebens avatar Sep 22 '20 19:09 jsiebens

OK, I misunderstood what you wanted. I thought you were asking for a range of ports, related to your other request under #97.

When possible, the provisioner could create firewall rules based on the ranges defined in loadBalancerSourceRanges

Perhaps you can link this to the appropriate Kubernetes docs page and give a specific example of what might be within that field?

alexellis avatar Sep 22 '20 21:09 alexellis

The loadBalancerSourceRanges field is mentioned in Kubernetes API Reference There is a link to https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ with more information, but apparently, that document is recently removed from the website. You can still find it on Github: https://github.com/kubernetes/website/blob/dev-1.17/content/en/docs/tasks/access-application-cluster/configure-cloud-provider-firewall.md

I've updated the request with an example.

If this request does not really fit in the idea of inlets-operator, I fully understand that

jsiebens avatar Sep 25 '20 08:09 jsiebens