search

inlets / inlets-operator

Get public TCP LoadBalancers for local Kubernetes clusters
https://docs.inlets.dev/reference/inlets-operator
MIT License
1.35k stars 98 forks source link

[Feature] Add support for loadBalancerSourceRanges #98

Closed jsiebens closed 4 months ago

jsiebens commented 4 years ago

Expected Behaviour

To configure a Load Balancer firewall, there is the option to use the Service's loadBalancerSourceRanges to define the ranges that should be allowed.

When possible, the provisioner could create firewall rules based on the ranges defined in loadBalancerSourceRanges

Example:

apiVersion: v1
kind: Service
metadata:
  name: myapp
spec:
  ports:
  - port: 8765
    targetPort: 9376
  selector:
    app: example
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 193.92.145.1/32
  - 193.92.145.2/32

With this example, a load balancer will be created that is only accessible to clients with IP addresses from 193.92.145.1 and 193.92.145.2.

Current Behaviour

The field loadBalancerSourceRanges is ignored.

Context

inlets-operator is great to expose some services to the public, but sometimes it could be useful to restrict access to the service based on CIDR ranges.

alexellis commented 4 years ago

Thanks for the suggestion, but Please sed inlets with "inlets-operator" :-)

And this feature request will only work with inlets PRO

jsiebens commented 4 years ago

@alexellis, can you explain why this will only work with inlets PRO?

I was thinking about passing this source ranges to the provisioners. For example, the GCE provisioner already creates a firewall rule with a hardcoded source range 0.0.0.0/0 and the required ports (all for PRO, only 80 and 443 for OSS)

alexellis commented 4 years ago

Let me check that I understand you correctly then.

Are you asking to define a number of TCP ports that are exposed by the exit-server?

jsiebens commented 4 years ago

It is more about IP CIDR blocks. Some cloud providers honor the loadBalancerSourceRanges field in the Service spec, which allows you to provide a list of IP CIDR blocks allowed to connect to the load balancer. Let's say someone wants to process webhook calls coming from a system with a known IP range for egress. That IP range could be whitelisted as an extra security measure. In case of the inlets-operator, such IP ranges can be used to create a firewall rule on the exit-node.

alexellis commented 4 years ago

OK, I misunderstood what you wanted. I thought you were asking for a range of ports, related to your other request under #97.

When possible, the provisioner could create firewall rules based on the ranges defined in loadBalancerSourceRanges

Perhaps you can link this to the appropriate Kubernetes docs page and give a specific example of what might be within that field?

jsiebens commented 4 years ago

The loadBalancerSourceRanges field is mentioned in Kubernetes API Reference There is a link to https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ with more information, but apparently, that document is recently removed from the website. You can still find it on Github: https://github.com/kubernetes/website/blob/dev-1.17/content/en/docs/tasks/access-application-cluster/configure-cloud-provider-firewall.md

I've updated the request with an example.

If this request does not really fit in the idea of inlets-operator, I fully understand that