spec.loadBalancerSourceRanges for Linode Cloud provider

4/24/2019

I am trying to lock down my kubernetes cluster and currently use cloudflare on the front in I am trying to whitelist cloudflare's IPs

this is in my service yaml:

spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
  - 130.211.204.1/32
  - 173.245.48.0/20
  - 103.21.244.0/22
  - 103.22.200.0/22
  - 103.31.4.0/22
  - 141.101.64.0/18
  - 108.162.192.0/18
  - 190.93.240.0/20
  - 188.114.96.0/20
  - 197.234.240.0/22
  - 198.41.128.0/17
  - 162.158.0.0/15
  - 104.16.0.0/12
  - 172.64.0.0/13
  - 131.0.72.0/22

after applying this manifest, i can still access the loadbalancer URL from any browser! is this feature not working or perhaps I configured this incorrectly.

Thanks.

-- Jeryl Cook
kubernetes
linode

1 Answer

4/24/2019

From https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service:

When using a Service with spec.type: LoadBalancer, you can specify the IP ranges that are allowed to access the load balancer by using spec.loadBalancerSourceRanges. This field takes a list of IP CIDR ranges, which Kubernetes will use to configure firewall exceptions. This feature is currently supported on Google Compute Engine, Google Kubernetes Engine, AWS Elastic Kubernetes Service, Azure Kubernetes Service, and IBM Cloud Kubernetes Service. This field will be ignored if the cloud provider does not support the feature.

May be your cloud simply does not support it.

You can use other things that allow blocking by source IP, like nginx or ingress-nginx. In ingress-nginx you just specify list of allowed IPs in annotation ingress.kubernetes.io/whitelist-source-range.

If you want to go Nginx or other proxy route - don't forget to change Load Balancer Service externalTrafficPolicy to Local. Otherwise you will not see real client IPs.

-- Vasily Angapov
Source: StackOverflow