EMK - Restrict Access To Kubernetes API

Estimated time to read: 1 minute

Access to the Kubernetes API endpoint can be restricted using an allow-list mechanism. Your cluster can be configured to only accept requests from predefined IP addresses and networks, blocking unsolicited requests.

Configure Access Limmit

YAML configuration

Example configuration, allowing remote clients from network 1.2.3.0/24 and address 4.5.6.7/32:

kind: Shoot
spec:
  extensions:
  - type: acl
    providerConfig:
      rule:
        action: ALLOW
        type: remote_ip
        cidrs:
          - "1.2.3.0/24"
          - "4.5.6.7/32"

Additional CIDRs are added to allow internal intrastructure to access the Kubernetes API.

Configurations

The following options are available:

• The providerConfig.rule.action field is the action to either allow or deny
• The providerConfig.rule.cidrs field is a list of IP address(es) in CIRD notation (min: 1, max: 50)

After saving the updated YAML configuration, the cluster will reconcile and apply the settings automatically.