Access Control for Azure Deployment
This section shows how to restrict access to only certain IP addresses for your LoadBalancer Service on Azure. At a later date, it will also include formal authentication through Azure. This method is not the most ideal way to secure your Kubernetes cluster, as it requires that you access the service from the same IP address every time. This process was adapted from the Kubernetes guide to configuring a firewall.
When using a service with
spec.type: LoadBalancer, you can specify the IP ranges that are allowed to access the load balancer by using
spec.loadBalancerSourceRanges. This is currently supported on all major cloud providers.
Editing the LoadBalancer Service
kubectl edit svc <loadbalancer-name> -n kubeflow to add your source ranges. This command will open the editor defined by you KUBE_EDITOR or EDITOR environment variables or fall back to ‘vi’ for Linux or ‘notepad’ for Windows. More information about using alternative editors and options for this command can be found in the kubectl edit documentation.
Internal Subnet Access
Assuming 10.0.0.0/8 is the address for the internal subnet, a load balancer will be created such that the deployment is only accessible from internal Kubernetes cluster IPs. This will not allow clients from outside your Kubernetes cluster to access the load balancer.
apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - port: 8765 targetPort: 9376 selector: app: example type: LoadBalancer loadBalancerSourceRanges: - 10.0.0.0/8
External IP Addresses
In the following example, a load balancer will be created that is only accessible to clients with IP addresses from 18.104.22.168 and 22.214.171.124.
apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - port: 8765 targetPort: 9376 selector: app: example type: LoadBalancer loadBalancerSourceRanges: - 126.96.36.199/32 - 188.8.131.52/32