3
votes

I have a Kubernetes 1.4.5 cluster running on GKE that I would like to put into test. It accepts HTTPS using an Ingress as below

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: keycloak-ingress
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    #kubernetes.io/ingress.class: "gce"
spec:
  tls:
  - secretName: mysecret
  backend:
    serviceName: keycloak-https-service
    servicePort: 443

Whilst in test, I want to limit the source IPs that can access my cluster. Because the Load Balancer converts the source IP of all incoming traffic into local IP addresses, the Google Cloud firewall cannot limit this traffic. Is there a way I can limit traffic going into the load balancer?

I understand this is strictly an GCE question, but there may be a solution that Kubernetes may offer.

2

2 Answers

4
votes

You're looking at a pipeline:

GCE L7 LB -> vm:nodePort -> pods

The traffic going:

GCE L7 LB -> your vms

should come from 130.211.0.0/22 as mentioned in https://cloud.google.com/compute/docs/load-balancing/http/#fundamentals. You should already have a firewall rule for that. The traffic going:

vms -> containers

should come from your vm ips. You can't regulate who talks the the lb, you can regulate who talks to the nodes.

Unfortunately because of the described situation, this doesn't work for HTTP LB. It will work for L3/L4 LB, because you get the source ip of your actual client in the packet that ends up at the vm: http://kubernetes.io/docs/user-guide/load-balancer/#annotation-to-modify-the-loadbalancer-behavior-for-preservation-of-source-ip

0
votes

The Cloud Armor product enables you to restrict access to a Load Balancer using an IP whitelist. This product might have been introduced since the OP asked the question. I've used Cloud Armor to IP restrict load balanced traffic to Kubernetes Ingress.

https://cloud.google.com/armor/docs/security-policy-concepts#ip_address_allow_list_and_deny_list_rules_in_a_security_policy