Authorize Inbound Traffic for Your EKF Deployment¶
This section will walk you through allowing trusted CIDRs to reach services running in your EKF deployment, including Rok and Rok Registry.
Note
To sync between Rok clusters, you need to allow the Rok clusters to talk to your Rok Registry. Even if your Rok cluster and your Rok Registry cluster are co-located, you still need to go through this guide to allow outbound connections re-enter the cluster.
Overview
What You'll Need¶
- A configured management environment.
- Access to the cluster's running services.
- A list of CIDRs that you want to have access to the EKF deployment including the outbound IP addresses of your existing clusters.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deployments
Edit the Kustomize patch, based on how you have exposed your services.
Edit
rok/nginx-ingress-controller/overlays/deploy/patches/ingress-alb.yaml
and set the desired trusted CIDRs in the corresponding annotation:alb.ingress.kubernetes.io/inbound-cidrs: 198.51.100.1/32,203.0.113.1/32 # <-- Update this line with your trusted CIDRs (comma separated)
Edit
rok/nginx-ingress-controller/overlays/deploy/patches/service-elb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs
Edit
rok/nginx-ingress-controller/overlays/deploy/patches/service-azurelb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs
Edit
rok/nginx-ingress-controller/overlays/deploy/patches/service-gclb.yaml
and setloadBalancerSourceRanges
to the desired trusted CIDRs:spec: loadBalancerSourceRanges: - "198.51.100.1/32" # <-- Update this line with one of your trusted CIDRs - "203.0.113.1/32" # <-- Update this line with one of your trusted CIDRs
Commit your changes:
root@rok-tools:~/ops/deployments# git commit \ > -am "Reconfigure trusted CIDRs for NGINX"
Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply \ > rok/nginx-ingress-controller/overlays/deploy
Summary¶
You have successfully allowed trusted CIDRs to reach services running in your EKF deployment.
What's Next¶
You can check out the rest of the maintenance operations that you can perform on your cluster.