oci-cloud-controller-manager icon indicating copy to clipboard operation
oci-cloud-controller-manager copied to clipboard
verified publisher icon oracle

CCM LoadBalancer - K8s service type LoadBalancer isn't enforcing `Spec.loadBalancerSourceRanges`

Open cunningr-cisco opened this issue 11 months ago • 1 comments

I am unable to make the loadBalancerSourceRanges work as I expected with the LoadBalancer controller. I have the following service:

---
apiVersion: v1
kind: Service
metadata:
  name: echoserver
  annotations:
    oci.oraclecloud.com/load-balancer-type: "nlb"
    oci.oraclecloud.com/ingress-ip-mode: "proxy"
    oci-network-load-balancer.oraclecloud.com/security-list-management-mode: "Frontend"
spec:
  selector:
    app: echoserver
  loadBalancerSourceRanges:
  - 10.0.0.0/24
  ports:
    - port: 80
      targetPort: 8080
      protocol: TCP
      name: http
    - port: 443
      targetPort: 8443
      protocol: TCP
      name: https
  type: LoadBalancer

As this is a public load balancer I expected that setting the source range to 10.0.0.0/24 would prevent me from accessing the service over the public Internet from my source IP, but it does not - I can still access my echo-server.

cunningr-cisco avatar Jun 06 '25 09:06 cunningr-cisco

Could you share the security rules present in your frontend-security-list? Ideally there should rules which allow ingress traffic only for the following CIDR port combination.

  1. 10.0.0.0/24 - 80
  2. 10.0.0.0/24 - 443

pranavsriram8 avatar Jun 11 '25 06:06 pranavsriram8