From 118bb0a7dc3b09b19cd2cbd84c855d55593a4bfa Mon Sep 17 00:00:00 2001 From: Adrian Moisey Date: Sun, 5 Oct 2025 19:22:47 +0200 Subject: [PATCH] Add page Block Services with ExternalIPs That uses a VAP to explain how a user may be able to block specific Services with ExternalIPs --- .../block-services-with-externalips.md | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 content/en/docs/tasks/network/block-services-with-externalips.md diff --git a/content/en/docs/tasks/network/block-services-with-externalips.md b/content/en/docs/tasks/network/block-services-with-externalips.md new file mode 100644 index 0000000000000..37180cc916b53 --- /dev/null +++ b/content/en/docs/tasks/network/block-services-with-externalips.md @@ -0,0 +1,100 @@ +--- +reviewers: +- thockin +- danwinship +- aojea +min-kubernetes-server-version: v1.30 +title: Block Services with ExternalIPs +content_type: task +--- + + + +This document shares how to control how Services with ExternalIPs are managed within your cluster. + +An ExternalIP is a powerful tool that could be used for [malicious intent](https://www.cvedetails.com/cve/CVE-2020-8554/). + +Any user who can create a Service with ExternalIPs could: + +- intercept other users' outbound traffic to arbitrary IPs. +- could (non-deterministically) steal other users' inbound traffic to their own ExternalIPs. + +## {{% heading "prerequisites" %}} + +{{< include "task-tutorial-prereqs.md" >}} + +{{< version-check >}} + + + +## Kubernetes Service ExternalIP Policies + +Cluster administrators can implement policies to control the creation and modification of Services with ExternalIPs within the cluster. This allows for centralized management of the allowed ExternalIPs used for Services and helps prevent unintended or conflicting configurations. Kubernetes provides mechanisms like Validating Admission Policies to enforce these rules. + +### Allowing only specific ExternalIPs within a certain IP range to be created + +The following example allows an administrator to restrict the allowed IP address range(s) of any new or updated Service: + +```yaml +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "allow-specific-externalips" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["services"] + variables: + - name: allowed + expression: "['192.0.2.0/24', '2001:db8::/64']" + validations: + - expression: | + !has(object.spec.externalIPs) || + object.spec.externalIPs.all(ip, variables.allowed.exists(cidr, cidr(cidr).containsIP(ip))) + message: "All externalIPs must be within the allowed CIDR ranges." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "allow-specific-externalips-binding" +spec: + policyName: "allow-specific-externalips" + validationActions: [Deny, Audit] +``` + +### Restricting which users/groups may create/update Services with ExternalIPs + +```yaml +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "allow-specific-users-to-manage-externalips" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["services"] + validations: + - expression: | + !has(object.spec.externalIPs) || + request.userInfo.username == "myuser" || + request.userInfo.groups.exists(g, g in ["system:masters", "net-admins"]) + message: "Only user 'myuser' or members of groups 'system:masters' and 'net-admins' can assign externalIPs." +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "allow-specific-users-binding" +spec: + policyName: "allow-specific-users-to-manage-externalips" + validationActions: [Deny, Audit] +```