Authorize Inbound Traffic for Your EKF Deployment

This section will walk you through allowing trusted CIDRs to reach services running in your EKF deployment, including Rok and Rok Registry.

Note

To sync between Rok clusters, you need to allow the Rok clusters to talk to your Rok Registry. Even if your Rok cluster and your Rok Registry cluster are co-located, you still need to go through this guide to allow outbound connections re-enter the cluster.

What You’ll Need

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Specify the desired trusted CIDRs:

    root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS=<TRUSTED_CIDR>

    Replace the <TRUSTED_CIDR> with the desired trusted CIDR, for example:

    root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS=198.51.100.1/32

    Note

    You can specify multiple trusted CIDRs by providing a space-separated list:

    root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS="<TRUSTED_CIDR_1> <TRUSTED_CIDR_2>"

    Replace the <TRUSTED_CIDR_1> and <TRUSTED_CIDR_2> with the trusted CIDRs, for example:

    root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS="198.51.100.1/32 203.0.113.1/32"
  3. Update the required context, based on how you have exposed your services.

    1. Restore the required context from the previous sections:

      root@rok-tools:~/ops/deployments# source deploy/env.eks-alb-nginx root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_HOSTNAME
    2. Update the context:

      root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS=${TRUSTED_CIDRS?}
    3. Render the deploy/env.eks-alb-nginx.j2 template:

      root@rok-tools:~/ops/deployments# rok-j2 deploy/env.eks-alb-nginx.j2 \ > -o deploy/env.eks-alb-nginx

    Currently we do not support restoring environment variables for the Classic Load Balancer on AWS. Skip this step.

    Currently we do not support restoring environment variables for the Azure Load Balancer on Azure. Skip this step.

    Currently we do not support restoring environment variables for the Network Load Balancer (Google Cloud). Skip this step.

  4. Edit the Kustomize patch, based on how you have exposed your services.

    Edit rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml and set the desired trusted CIDRs in the corresponding annotation:

    alb.ingress.kubernetes.io/inbound-cidrs: 198.51.100.1/32,203.0.113.1/32 # <-- Update this line with your trusted CIDRs (comma separated)

    Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-elb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Add each trusted CIDR in a separate line:

    spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs

    Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Add each trusted CIDR in a separate line:

    spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs

    Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-gclb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs. Add each trusted CIDR in a separate line:

    spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs
  5. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit \ > -am "Reconfigure trusted CIDRs for NGINX"
  6. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply \ > rok/nginx-ingress-controller/overlays/deploy

Summary

You have successfully allowed trusted CIDRs to reach services running in your EKF deployment.

What’s Next

You can check out the rest of the maintenance operations that you can perform on your cluster.