Authorize Inbound Traffic for Your EKF Deployment¶

This section will walk you through allowing trusted CIDRs to reach services running in your EKF deployment, including Rok and Rok Registry.

Note

To sync between Rok clusters, you need to allow the Rok clusters to talk to your Rok Registry. Even if your Rok cluster and your Rok Registry cluster are co-located, you still need to go through this guide to allow outbound connections re-enter the cluster.

Overview

What You'll Need
Procedure
Summary
What's Next

What You'll Need¶

A configured management environment.
Access to the cluster's running services.
A list of CIDRs that you want to have access to the EKF deployment including the outbound IP addresses of your existing clusters.

Procedure¶

Go to your GitOps repository, inside your rok-tools management environment:
```
root@rok-tools:~# cd ~/ops/deployments
```

Edit the Kustomize patch, based on how you have exposed your services.

Edit rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml and set the desired trusted CIDRs in the corresponding annotation:

alb.ingress.kubernetes.io/inbound-cidrs: 198.51.100.1/32,203.0.113.1/32  # <-- Update this line with your trusted CIDRs (comma separated)

Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-elb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs:

spec:
  loadBalancerSourceRanges:
  - "198.51.100.1/32"  # <-- Update this line with one of your trusted CIDRs
  - "203.0.113.1/32"  # <-- Update this line with one of your trusted CIDRs

Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs:

spec:
  loadBalancerSourceRanges:
  - "198.51.100.1/32"  # <-- Update this line with one of your trusted CIDRs
  - "203.0.113.1/32"  # <-- Update this line with one of your trusted CIDRs

Edit rok/nginx-ingress-controller/overlays/deploy/patches/service-gclb.yaml and set loadBalancerSourceRanges to the desired trusted CIDRs:

spec:
  loadBalancerSourceRanges:
  - "198.51.100.1/32"  # <-- Update this line with one of your trusted CIDRs
  - "203.0.113.1/32"  # <-- Update this line with one of your trusted CIDRs

Commit your changes:

root@rok-tools:~/ops/deployments# git commit \
> -am "Reconfigure trusted CIDRs for NGINX"

Apply the kustomization:

root@rok-tools:~/ops/deployments# rok-deploy --apply \
> rok/nginx-ingress-controller/overlays/deploy

Summary¶

You have successfully allowed trusted CIDRs to reach services running in your EKF deployment.

What's Next¶

You can check out the rest of the maintenance operations that you can perform on your cluster.

Operations Guide

Previous Next