In some scenarios where fine-grained permission control is required, you may need to dynamically add the IP addresses of pods to security groups or Relational Database Service (RDS) whitelists. You may also need to remove these IP addresses from security groups or RDS whitelists. You can use ack-kubernetes-webhook-injector to perform these operations. This requires you to add annotations to the pod configurations. This topic describes how to install and use ack-kubernetes-webhook-injector.
- The whitelist controls access in a coarse-grained manner because the IP addresses of all nodes and pods are added to the whitelist.
- The whitelist is not automatically deleted after the cluster is deleted. You must manually delete the whitelist.
- You cannot add inbound rules to the security group to which the cluster nodes belong when you create the ACK cluster.
To fix the preceding issues, ack-kubernetes-webhook-injector is developed by ACK to provide fine-grained security control over cloud resources. You can use ack-kubernetes-webhook-injector to dynamically add the IP address of a pod to an RDS whitelist or security group. When the pod is deleted, the IP address is automatically removed from the RDS whitelist or security group.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified RDS whitelist.
- When a pod is created or deleted, the IP address of the pod is automatically added to or removed from a specified security group.
Before you use ack-kubernetes-webhook-injector, you must first install the component. Perform the following steps:
Examples of using ack-kubernetes-webhook-injector
You only need to add an annotation to the Pod Spec parameter of the replication controller for a pod. The annotation must specify the ID of an RDS whitelist or security group. This way, when the pod is created, the IP address of the pod is automatically added to the specified RDS whitelist or security group. When the pod is deleted, the IP address of the pod is automatically removed from the specified RDS whitelist or security group.
- RDS whitelist: ack.aliyun.com/rds_id
- Security group: ack.aliyun.com/security_group_id
In the following example, an RDS whitelist is used to show how to dynamically add the IP address of a pod to the RDS whitelist by using ack-kubernetes-webhook-injector.
- Create a Deployment and add an annotation to specify an RDS instance ID in the pod
configurations. The following YAML template is an example:
apiVersion: apps/v1 kind: Deployment metadata: labels: app: inject-test name: inject-test spec: replicas: 1 selector: matchLabels: app: inject-test template: metadata: annotations: ack.aliyun.com/rds_id: rm-wz9nanjcud75bxxxx labels: app: inject-test spec: containers: - command: - sleep - "3600" image: alpine:latest name: inject-test
- Run the following command to query the IP address of the application pod:
The following output is returned:
kubectl --kubeconfig .kube/config_sts_test -n inject-test get pod -o wide
NAME READY STATS RESTARTS AGE IP NODE inject-test-68cc8f9bbf-gj86n 1/1 Running 0 22s 172.20.0.29 cn-hangzhou.xxxThe output shows that the IP address of the pod is 172.20.0.29.
- Log on to the RDS console and check the whitelist of the specified RDS instance. For more information about how to check an RDS whitelist, see Configure an IP address whitelist in enhanced whitelist mode.
- Change the number of pod replicas to 0 for the Deployment that is created in Step
1. Then, log on to the RDS console and check the whitelist of the specified RDS instance.You can find that the IP address is removed from the RDS whitelist.Note You can perform similar steps to add the IP address of a pod to a security group.
kubectl -n kube-system delete secret kubernetes-webhook-injector-certs kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector