In some scenarios where fine-grained permission control is required, you may need to dynamically add the IP addresses of pods to security groups or Relational Database Service (RDS) whitelists. You may also need to remove these IP addresses from security groups or RDS whitelists. You can use ack-kubernetes-webhook-injector to perform these operations. This requires you to add annotations to the pod configurations. This topic describes how to install and use ack-kubernetes-webhook-injector.
Background information
- The whitelist controls access in a coarse-grained manner because the IP addresses of all nodes and pods are added to the whitelist.
- The whitelist is not automatically deleted after the cluster is deleted. You must manually delete the whitelist.
- You cannot add inbound rules to the security group to which the cluster nodes belong when you create the ACK cluster.
To fix the preceding issues, ack-kubernetes-webhook-injector is developed by ACK to provide fine-grained security control over cloud resources. You can use ack-kubernetes-webhook-injector to dynamically add the IP address of a pod to an RDS whitelist or security group. When the pod is deleted, the IP address is automatically removed from the RDS whitelist or security group.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified RDS whitelist.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified security group.
Install ack-kubernetes-webhook-injector
Before you use ack-kubernetes-webhook-injector, you must first install the component. Perform the following steps:
- Log on to the ACK console.
- Select and click ack-kubernetes-webhook-injector.
- On the Parameters tab, specify the AccessKey pair of the current account . For more information, see
Obtain an AccessKey pair.
- On the right side of the page, select a cluster to install the component and click Create.
Examples of using ack-kubernetes-webhook-injector
You only need to add an annotation to the Pod Spec parameter of the replication controller for a pod. The annotation must specify the ID of an RDS whitelist or security group. This way, when the pod is created, the IP address of the pod is automatically added to the specified RDS whitelist or security group. When the pod is deleted, the IP address of the pod is automatically removed from the specified RDS whitelist or security group.
- RDS whitelist: ack.aliyun.com/rds_id
- Security group: ack.aliyun.com/security_group_id
In the following example, an RDS whitelist is used to show how to dynamically add the IP address of a pod to the RDS whitelist by using ack-kubernetes-webhook-injector.
Uninstall ack-kubernetes-webhook-injector
kubectl -n kube-system delete secret kubernetes-webhook-injector-certs
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector