Help improve this page
Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.
Restricting external IP addresses that can be assigned to services
Kubernetes services can be reached from inside of a cluster through:
-
A cluster IP address that is assigned automatically by Kubernetes
-
Any IP address that you specify for the
externalIPs
property in a service spec. External IP addresses are not managed by Kubernetes and are the responsibility of the cluster administrator. External IP addresses specified withexternalIPs
are different than the external IP address assigned to a service of typeLoadBalancer
by a cloud provider.
To learn more about Kubernetes services, see ServiceexternalIPs
in a service spec.
To restrict the IP addresses that can be specified for externalIPs
in a service spec
-
Deploy
cert-manager
to manage webhook certificates. For more information, see thecert-manager
documentation. kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
-
Verify that the
cert-manager
Pods are running.kubectl get pods -n cert-manager
An example output is as follows.
NAME READY STATUS RESTARTS AGE cert-manager-58c8844bb8-nlx7q 1/1 Running 0 15s cert-manager-cainjector-745768f6ff-696h5 1/1 Running 0 15s cert-manager-webhook-67cc76975b-4v4nk 1/1 Running 0 14s
-
Review your existing services to ensure that none of them have external IP addresses assigned to them that aren't contained within the CIDR block you want to limit addresses to.
kubectl get services -A
An example output is as follows.
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cert-manager cert-manager ClusterIP 10.100.102.137 <none> 9402/TCP 20m cert-manager cert-manager-webhook ClusterIP 10.100.6.136 <none> 443/TCP 20m default kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 2d1h externalip-validation-system externalip-validation-webhook-service ClusterIP 10.100.234.179 <none> 443/TCP 16s kube-system kube-dns ClusterIP 10.100.0.10 <none> 53/UDP,53/TCP 2d1h my-namespace my-service ClusterIP 10.100.128.10 192.168.1.1 80/TCP 149m
If any of the values are IP addresses that are not within the block you want to restrict access to, you'll need to change the addresses to be within the block, and redeploy the services. For example, the
my-service
service in the previous output has an external IP address assigned to it that isn't within the CIDR block example in step 5. -
Download the external IP webhook manifest. You can also view the source code for the webhook
on GitHub. -
Specify CIDR blocks. Open the downloaded file in your editor and remove the
#
at the start of the following lines.#args: #- --allowed-external-ip-cidrs=10.0.0.0/8
Replace
10.0.0.0/8
with your own CIDR block. You can specify as many blocks as you like. If specifying mutiple blocks, add a comma between blocks. -
Replace
us-west-2
,602401143452
, andamazonaws.com.cn
in the file with the following commands. Before running the commands, replace
andregion-code
with the value for your Amazon Web Services Region from the list in View Amazon container image registries for Amazon EKS add-ons.111122223333
sed -i.bak -e 's|602401143452|
111122223333
|' externalip-webhook.yamlsed -i.bak -e 's|us-west-2|
region-code
|' externalip-webhook.yamlsed -i.bak -e 's|amazonaws.com|amazonaws.com.cn|' externalip-webhook.yaml
-
Apply the manifest to your cluster.
kubectl apply -f externalip-webhook.yaml
An attempt to deploy a service to your cluster with an IP address specified for
externalIPs
that is not contained in the blocks that you specified in the Specify CIDR blocks step will fail.