Skip to content

Commit 118bb0a

Browse files
adrianmoiseyadrianmoisey
committed
Add page Block Services with ExternalIPs
That uses a VAP to explain how a user may be able to block specific Services with ExternalIPs
1 parent e5c4414 commit 118bb0a

File tree

1 file changed

+100
-0
lines changed

1 file changed

+100
-0
lines changed

content/en/docs/tasks/network/block-services-with-externalips.md

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
---
2+
reviewers:
3+
- thockin
4+
- danwinship
5+
- aojea
6+
min-kubernetes-server-version: v1.30
7+
title: Block Services with ExternalIPs
8+
content_type: task
9+
---
10+
11+
<!-- overview -->
12+
13+
This document shares how to control how Services with ExternalIPs are managed within your cluster.
14+
15+
An ExternalIP is a powerful tool that could be used for [malicious intent](https://www.cvedetails.com/cve/CVE-2020-8554/).
16+
17+
Any user who can create a Service with ExternalIPs could:
18+
19+
- intercept other users' outbound traffic to arbitrary IPs.
20+
- could (non-deterministically) steal other users' inbound traffic to their own ExternalIPs.
21+
22+
## {{% heading "prerequisites" %}}
23+
24+
{{< include "task-tutorial-prereqs.md" >}}
25+
26+
{{< version-check >}}
27+
28+
<!-- steps -->
29+
30+
## Kubernetes Service ExternalIP Policies
31+
32+
Cluster administrators can implement policies to control the creation and modification of Services with ExternalIPs within the cluster. This allows for centralized management of the allowed ExternalIPs used for Services and helps prevent unintended or conflicting configurations. Kubernetes provides mechanisms like Validating Admission Policies to enforce these rules.
33+
34+
### Allowing only specific ExternalIPs within a certain IP range to be created
35+
36+
The following example allows an administrator to restrict the allowed IP address range(s) of any new or updated Service:
37+
38+
```yaml
39+
---
40+
apiVersion: admissionregistration.k8s.io/v1
41+
kind: ValidatingAdmissionPolicy
42+
metadata:
43+
name: "allow-specific-externalips"
44+
spec:
45+
failurePolicy: Fail
46+
matchConstraints:
47+
resourceRules:
48+
- apiGroups: [""]
49+
apiVersions: ["v1"]
50+
operations: ["CREATE", "UPDATE"]
51+
resources: ["services"]
52+
variables:
53+
- name: allowed
54+
expression: "['192.0.2.0/24', '2001:db8::/64']"
55+
validations:
56+
- expression: |
57+
!has(object.spec.externalIPs) ||
58+
object.spec.externalIPs.all(ip, variables.allowed.exists(cidr, cidr(cidr).containsIP(ip)))
59+
message: "All externalIPs must be within the allowed CIDR ranges."
60+
---
61+
apiVersion: admissionregistration.k8s.io/v1
62+
kind: ValidatingAdmissionPolicyBinding
63+
metadata:
64+
name: "allow-specific-externalips-binding"
65+
spec:
66+
policyName: "allow-specific-externalips"
67+
validationActions: [Deny, Audit]
68+
```
69+
70+
### Restricting which users/groups may create/update Services with ExternalIPs
71+
72+
```yaml
73+
---
74+
apiVersion: admissionregistration.k8s.io/v1
75+
kind: ValidatingAdmissionPolicy
76+
metadata:
77+
name: "allow-specific-users-to-manage-externalips"
78+
spec:
79+
failurePolicy: Fail
80+
matchConstraints:
81+
resourceRules:
82+
- apiGroups: [""]
83+
apiVersions: ["v1"]
84+
operations: ["CREATE", "UPDATE"]
85+
resources: ["services"]
86+
validations:
87+
- expression: |
88+
!has(object.spec.externalIPs) ||
89+
request.userInfo.username == "myuser" ||
90+
request.userInfo.groups.exists(g, g in ["system:masters", "net-admins"])
91+
message: "Only user 'myuser' or members of groups 'system:masters' and 'net-admins' can assign externalIPs."
92+
---
93+
apiVersion: admissionregistration.k8s.io/v1
94+
kind: ValidatingAdmissionPolicyBinding
95+
metadata:
96+
name: "allow-specific-users-binding"
97+
spec:
98+
policyName: "allow-specific-users-to-manage-externalips"
99+
validationActions: [Deny, Audit]
100+
```

0 commit comments

Comments
 (0)