All Products
Search
Document Center

Container Service for Kubernetes:Dynamically configure a pod whitelist for an Alibaba Cloud service

Last Updated:Oct 10, 2023

In scenarios that require access control, you may need to dynamically add the IP addresses of pods to an ApsaraDB RDS whitelist or remove IP addresses from the whitelist to fine-tune access control. To do this, you can use the ack-kubernetes-webhook-injector component to add annotations to the pods. This topic describes how to install ack-kubernetes-webhook-injector and use the component to dynamically configure a pod whitelist for an Alibaba Cloud service. This topic also describes how to configure ack-kubernetes-webhook-injector to access the internal endpoint of an Alibaba Cloud service.

Prerequisites

Introduction

In cloud computing scenarios, you must configure access control policies to allow external access to some cloud resources. For example, you must configure Server Load Balancer (SLB) access control lists (ACLs) for Elastic Compute Service (ECS) instances, or configure an ApsaraDB RDS whitelist to allow access from specified client IP addresses. When you create an ACK cluster, you can add the CIDR block of the cluster nodes to an ApsaraDB RDS whitelist. However, the following limits exist:

  • The whitelist controls access in a coarse-grained manner because the IP addresses of all nodes and pods are added to the whitelist.

  • The whitelist is not automatically updated after the cluster is deleted. You need to manually update the whitelist.

To resolve the preceding problem, ACK provides the ack-kubernetes-webhook-injector component to allow you to dynamically add the IP addresses of pods to an ApsaraDB RDS whitelist. When a pod is deleted, the IP address of the pod is automatically removed from the whitelist. This enables access control in a fine-grained manner.

The ack-kubernetes-webhook-injector component supports the following features:

  • When a pod is created or deleted, the IP address of the pod is automatically added to or removed from the corresponding SLB ACL.

  • When a pod is created or deleted, the IP address of the pod is automatically added to or removed from the corresponding ApsaraDB for Redis whitelist.

  • When a pod is created or deleted, the IP address of the pod is automatically added to or removed from the corresponding ApsaraDB RDS whitelist.

Install ack-kubernetes-webhook-injector

  1. Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.

  2. Find and click ack-kubernetes-webhook-injector. In the upper-right corner of the page, click Deploy.

  3. In the panel that appears, specify a cluster and namespace for the component, enter a release name, and click Next.

  4. On the Parameters wizard page, set ak and sk in the openapi section to your AccessKey pair and click OK.

    For more information about how to obtain the AccessKey pair, see Obtain an AccessKey pair.AK

Examples on how to use ack-kubernetes-webhook-injector to dynamically add the IP address of a pod to an ApsaraDB RDS whitelist

In the Pod Spec section of the ReplicationController, you can add annotations to specify the name of the ApsaraDB RDS whitelist to which the IP address of the pod will be added and the ID of the ApsaraDB RDS instance. ack-kubernetes-webhook-injector will automatically add the IP address of the pod to the whitelist when the pod is created and remove it from the whitelist when the pod is deleted.

Annotations:

  • The ID of the ApsaraDB RDS instance: ack.aliyun.com/rds_id

  • The name of the ApsaraDB RDS whitelist: ack.aliyun.com/white_list_name

In this topic, an ApsaraDB RDS whitelist is used as an example to demonstrate how to use ack-kubernetes-webhook-injector to dynamically configure a pod whitelist.

  1. Use the following YAML template to create a Deployment and add annotations to specify the name of the ApsaraDB RDS whitelist and the ID of the ApsaraDB RDS instance.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      labels:
        app: inject-test
      name: inject-test
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: inject-test
      template:
        metadata:
          annotations:
            ack.aliyun.com/rds_id: <rm-wz9nanjcud75b****>
            ack.aliyun.com/white_list_name: <rds_group>
          labels:
            app: inject-test
        spec:
          containers:
          - command:
            - sleep
            - "3600"
            image: alpine:latest
            name: inject-test
  2. Run the following command to query the IP address of the pod:

    kubectl --kubeconfig .kube/config_sts_test -n inject-test get pod -o wide

    Expected output:

    NAME                           READY           STATUS        RESTARTS    AGE    IP                NODE
    inject-test-68cc8f9bbf-gj86n    1/1            Running         0        22s   172.25.0.28    cn-hangzhou.xxx

    The output indicates that the IP address of the pod is 172.25.0.28.

  3. Log on to the ApsaraDB RDS console and check the whitelist of the specified ApsaraDB RDS instance. For more information about how to view an ApsaraDB RDS whitelist, see Configure an enhanced IP address whitelist.

  4. Set the number of pods in the Deployment created in Step 1 to 0 and check the ApsaraDB RDS whitelist again.

    You can find that the IP address of the pod is removed from the ApsaraDB RDS whitelist in the console.

Access the internal endpoint of an Alibaba Cloud service

By default, ack-kubernetes-webhook-injector uses the public endpoint of an Alibaba Cloud service to access the service. If your cluster has public access disabled, you can configure ack-kubernetes-webhook-injector to use the internal endpoint of the service.

Note

Some Alibaba Cloud services do not provide internal endpoints in certain regions. You can go to OpenAPI Explorer to check whether a service provides an internal endpoint in the specified region.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Deployments in the left-side navigation pane.

  3. In the top navigation bar, select kube-system from the Namespace drop-down list, find the Deployment of kubernetes-webhook-injector, and choose More > View in YAML in the Actions of the Deployment.image.png

  4. Add - '--intranet-access' below spec.template.spec.containers.command and click Update.image.png

Other access control policies

ack-kubernetes-webhook-injector also supports the following access control policies:

  • SLB ACL: ack.aliyun.com/access_control_policy_id.

  • ApsaraDB for Redis whitelist:

    • The ID of an ApsaraDB for Redis instance: ack.aliyun.com/redis_id.

    • The name of an ApsaraDB for Redis whitelist: ack.aliyun.com/white_list_name.

Uninstall ack-kubernetes-webhook-injector

If you no longer need to use ack-kubernetes-webhook-injector, you can uninstall ack-kubernetes-webhook-injector by using the release feature provided by ACK. For more information, see Manage releases by using Helm. To delete the related configurations, run the following commands:

kubectl -n kube-system delete secret kubernetes-webhook-injector-certs
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector