In some scenarios where fine-grained permission control is required, you may need to dynamically add the IP addresses of pods to specified ApsaraDB RDS whitelists. You may also need to remove these IP addresses from specified ApsaraDB RDS whitelists. You can use ack-kubernetes-webhook-injector to perform these operations. This requires you to add annotations to pod configurations. This topic describes how to install and use ack-kubernetes-webhook-injector.
- The whitelist controls access in a coarse-grained manner because the IP addresses of all nodes and pods are added to the whitelist.
- The whitelist is not automatically deleted after the cluster is deleted. You must manually delete the whitelist.
To fix the preceding issues, ack-kubernetes-webhook-injector is developed by ACK to provide fine-grained security control over cloud resources. You can use ack-kubernetes-webhook-injector to dynamically add the IP address of a pod to an ApsaraDB RDS whitelist or security group. When the pod is deleted, the IP address is automatically removed from the ApsaraDB RDS whitelist or security group.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified SLB access control list (ACL).
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified ApsaraDB for Redis whitelist.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified ApsaraDB RDS whitelist.
Before you use ack-kubernetes-webhook-injector, you must install the component. Perform the following steps:
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, choose .
- Select and click ack-kubernetes-webhook-injector.
- On the Parameters tab, set
true, and specify the AccessKey pair of the current account or . For more information, see Obtain an AccessKey pair.
- On the right side of the page, select a cluster to install the component and click Create.
Examples of using ack-kubernetes-webhook-injector to dynamically add the IP address of a pod to an ApsaraDB RDS whitelist
You only need to add annotations to the Pod Spec parameter of the replication controller for a pod. The annotations must specify the ID of an ApsaraDB RDS instance and the name of the ApsaraDB RDS whitelist. This way, when the pod is created, the IP address of the pod is automatically added to the specified ApsaraDB RDS whitelist or security group. When the pod is deleted, the IP address of the pod is automatically removed from the specified ApsaraDB RDS whitelist or security group.
- Annotations related to the ApsaraDB RDS whitelist:
- The ID of the ApsaraDB RDS instance: ack.aliyun.com/rds_id.
- The name of the ApsaraDB RDS whitelist: ack.aliyun.com/white_list_name.
The following example shows how to dynamically add the IP address of a pod to an ApsaraDB RDS whitelist by using ack-kubernetes-webhook-injector.
- Create a Deployment and add an annotation in the pod configurations to specify an
ApsaraDB RDS instance ID and add another annotation to specify the name of an ApsaraDB
RDS whitelist. The following YAML template is provided as an example:
apiVersion: apps/v1 kind: Deployment metadata: labels: app: inject-test name: inject-test spec: replicas: 1 selector: matchLabels: app: inject-test template: metadata: annotations: ack.aliyun.com/rds_id: <rm-wz9nanjcud75bxxxx> ack.aliyun.com/white_list_name: <rds_group> labels: app: inject-test spec: containers: - command: - sleep - "3600" image: alpine:latest name: inject-test
- Run the following command to query the IP address of the pod:
kubectl --kubeconfig .kube/config_sts_test -n inject-test get pod -o wide
NAME READY STATS RESTARTS AGE IP NODE inject-test-68cc8f9bbf-gj86n 1/1 Running 0 22s 172.25.0.28 cn-hangzhou.xxxThe output shows that the IP address of the pod is 172.25.0.28.
- Log on to the ApsaraDB RDS console and check the whitelist of the specified ApsaraDB RDS instance. For more information about how to check an ApsaraDB RDS whitelist, see Configure an enhanced IP address whitelist.
- Change the number of pod replicas to 0 for the Deployment that is created in Step
1. Then, log on to the ApsaraDB RDS console and check the whitelist of the specified
ApsaraDB RDS instance. You can find that the pod IP address is removed from the ApsaraDB RDS whitelist.Note You can perform similar steps to add the IP address of a pod to a security group by using ack-kubernetes-webhook-injector.
kubectl -n kube-system delete secret kubernetes-webhook-injector-certs kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector
Other security policies
- SLB-based access control:
- ApsaraDB for Redis whitelists:
- ApsaraDB for Redis instance ID:
- The name of an ApsaraDB for Redis whitelist:
- ApsaraDB for Redis instance ID: