Authorize Inbound Traffic for Your EKF Deployment¶
This section will walk you through allowing trusted CIDRs to reach services running in your EKF deployment, including Rok and Rok Registry.
Note
To sync between Rok clusters, you need to allow the Rok clusters to talk to your Rok Registry. Even if your Rok cluster and your Rok Registry cluster are co-located, you still need to go through this guide to allow outbound connections re-enter the cluster.
Overview
What You’ll Need¶
- A configured management environment.
- Access to the cluster’s running services.
- A list of CIDRs that you want to have access to the EKF deployment, including the outbound IP addresses of your existing clusters.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsSpecify the desired trusted CIDRs:
root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS=<TRUSTED_CIDR>Replace the
<TRUSTED_CIDR>
with the desired trusted CIDR, for example:root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS=198.51.100.1/32Note
You can specify multiple trusted CIDRs by providing a space-separated list:
root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS="<TRUSTED_CIDR_1> <TRUSTED_CIDR_2>"Replace the
<TRUSTED_CIDR_1>
and<TRUSTED_CIDR_2>
with the trusted CIDRs, for example:root@rok-tools:~/ops/deployments# export TRUSTED_CIDRS="198.51.100.1/32 203.0.113.1/32"Update the required context, based on how you have exposed your services.
Restore the required context from the previous sections:
root@rok-tools:~/ops/deployments# source deploy/env.eks-alb-nginx root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_HOSTNAMEUpdate the context:
root@rok-tools:~/ops/deployments# export EKS_ALB_NGINX_TRUSTED_CIDRS=${TRUSTED_CIDRS?}Render the
deploy/env.eks-alb-nginx.j2
template:root@rok-tools:~/ops/deployments# j2 deploy/env.eks-alb-nginx.j2 \ > -o deploy/env.eks-alb-nginx
Currently we do not support restoring environment variables for the Classic Load Balancer on AWS. Skip this step.
Currently we do not support restoring environment variables for the Azure Load Balancer on Azure. Skip this step.
Currently we do not support restoring environment variables for the Network Load Balancer (Google Cloud). Skip this step.
Edit the Kustomize patch, based on how you have exposed your services.
Edit
rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml
and set the desired trusted CIDRs in the corresponding annotation:alb.ingress.kubernetes.io/inbound-cidrs: 198.51.100.1/32,203.0.113.1/32 # <-- Update this line with your trusted CIDRs (comma separated)Edit
rok/nginx-ingress-controller/overlays/deploy/patches/service-elb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs. Add each trusted CIDR in a separate line:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRsEdit
rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs. Add each trusted CIDR in a separate line:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRsEdit
rok/nginx-ingress-controller/overlays/deploy/patches/service-gclb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs. Add each trusted CIDR in a separate line:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRsCommit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Reconfigure trusted CIDRs for NGINX"Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > rok/nginx-ingress-controller/overlays/deploy
Summary¶
You have successfully allowed trusted CIDRs to reach services running in your EKF deployment.
What’s Next¶
You can check out the rest of the maintenance operations that you can perform on your cluster.