Help improve this page
To contribute to this user guide, choose the Edit this page on GitHub link that is located in the right pane of every page.
Restrict external IP addresses that can be assigned to services
Kubernetes services can be reached from inside of a cluster through:
-
A cluster IP address that is assigned automatically by Kubernetes
-
Any IP address that you specify for the
externalIPsproperty in a service spec. External IP addresses are not managed by Kubernetes and are the responsibility of the cluster administrator. External IP addresses specified withexternalIPsare different than the external IP address assigned to a service of typeLoadBalancerby a cloud provider.
To learn more about Kubernetes services, see ServiceexternalIPs in a service spec.
-
Deploy
cert-managerto manage webhook certificates. For more information, see the cert-managerdocumentation. kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml -
Verify that the
cert-managerPods are running.kubectl get pods -n cert-managerAn example output is as follows.
NAME READY STATUS RESTARTS AGE cert-manager-58c8844bb8-nlx7q 1/1 Running 0 15s cert-manager-cainjector-745768f6ff-696h5 1/1 Running 0 15s cert-manager-webhook-67cc76975b-4v4nk 1/1 Running 0 14s -
Review your existing services to ensure that none of them have external IP addresses assigned to them that aren’t contained within the CIDR block you want to limit addresses to.
kubectl get services -AAn example output is as follows.
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE cert-manager cert-manager ClusterIP 10.100.102.137 <none> 9402/TCP 20m cert-manager cert-manager-webhook ClusterIP 10.100.6.136 <none> 443/TCP 20m default kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 2d1h externalip-validation-system externalip-validation-webhook-service ClusterIP 10.100.234.179 <none> 443/TCP 16s kube-system kube-dns ClusterIP 10.100.0.10 <none> 53/UDP,53/TCP 2d1h my-namespace my-service ClusterIP 10.100.128.10 192.168.1.1 80/TCP 149mIf any of the values are IP addresses that are not within the block you want to restrict access to, you’ll need to change the addresses to be within the block, and redeploy the services. For example, the
my-serviceservice in the previous output has an external IP address assigned to it that isn’t within the CIDR block example in step 5. -
Download the external IP webhook manifest. You can also view the source code for the webhook
on GitHub. curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/docs/externalip-webhook.yaml -
Specify CIDR blocks. Open the downloaded file in your editor and remove the
\#at the start of the following lines.#args: #- --allowed-external-ip-cidrs=10.0.0.0/8Replace
10.0.0.0/8with your own CIDR block. You can specify as many blocks as you like. If specifying mutiple blocks, add a comma between blocks. -
If your cluster is not in the
us-west-2AWS Region, then replaceus-west-2,602401143452, andamazonaws.comin the file with the following commands. Before running the commands, replaceregion-codeand111122223333with the value for your AWS Region from the list in View Amazon container image registries for Amazon EKS add-ons.sed -i.bak -e 's|602401143452|111122223333|' externalip-webhook.yaml sed -i.bak -e 's|us-west-2|region-code|' externalip-webhook.yaml sed -i.bak -e 's|amazonaws.com||' externalip-webhook.yaml -
Apply the manifest to your cluster.
kubectl apply -f externalip-webhook.yamlAn attempt to deploy a service to your cluster with an IP address specified for
externalIPsthat is not contained in the blocks that you specified in the Specify CIDR blocks step will fail.
