I have a Kubernetes 1.4.5 cluster running on GKE that I would like to put into test. It accepts HTTPS using an Ingress as below
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: keycloak-ingress
annotations:
kubernetes.io/ingress.allow-http: "false"
#kubernetes.io/ingress.class: "gce"
spec:
tls:
- secretName: mysecret
backend:
serviceName: keycloak-https-service
servicePort: 443Whilst in test, I want to limit the source IPs that can access my cluster. Because the Load Balancer converts the source IP of all incoming traffic into local IP addresses, the Google Cloud firewall cannot limit this traffic. Is there a way I can limit traffic going into the load balancer?
I understand this is strictly an GCE question, but there may be a solution that Kubernetes may offer.
You're looking at a pipeline:
GCE L7 LB -> vm:nodePort -> pods
The traffic going:
GCE L7 LB -> your vms
should come from 130.211.0.0/22 as mentioned in https://cloud.google.com/compute/docs/load-balancing/http/#fundamentals. You should already have a firewall rule for that. The traffic going:
vms -> containers
should come from your vm ips. You can't regulate who talks the the lb, you can regulate who talks to the nodes.
Unfortunately because of the described situation, this doesn't work for HTTP LB. It will work for L3/L4 LB, because you get the source ip of your actual client in the packet that ends up at the vm: http://kubernetes.io/docs/user-guide/load-balancer/#annotation-to-modify-the-loadbalancer-behavior-for-preservation-of-source-ip