Automate Pod IP Whitelisting for RDS and SLB - ACK

ack-kubernetes-webhook-injector keeps Alibaba Cloud service whitelists in sync with your pod lifecycle. When a pod starts, the component automatically adds its IP address to the configured whitelist. When the pod is deleted, the IP address is removed. This eliminates manual whitelist maintenance and replaces coarse-grained node-CIDR whitelisting with per-pod access control.

Supported services:

ApsaraDB RDS whitelist
ApsaraDB for Redis whitelist
Server Load Balancer (SLB) access control list (ACL)

Limitations

Before you configure this feature, note the following constraints:

Network plugin: The cluster must use the Terway network plugin. The component is not compatible with other network plugins.
Cluster type: Only ACK managed clusters are supported.
Whitelist persistence after cluster deletion: When a cluster is deleted, the whitelists are not automatically updated. You must manually remove the pod IP addresses from the whitelists.
Regional availability of internal endpoints: Not all Alibaba Cloud services provide internal endpoints in every region. If you plan to use internal endpoint access, verify availability on OpenAPI Explorer before configuring.

Prerequisites

Before you begin, ensure that you have:

An ACK managed cluster. See Create an ACK managed cluster.
kubectl connected to the cluster. See Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
The Terway network plugin enabled on the cluster. See Work with Terway.

Install ack-kubernetes-webhook-injector

Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.
Find and click ack-kubernetes-webhook-injector, then click Deploy in the upper-right corner.
In the panel that appears, select a cluster and namespace, enter a release name, and click Next.
On the Parameters wizard page, set ak and sk in the openapi section to your AccessKey pair, then click OK. To get your AccessKey pair, see Obtain an AccessKey pair.

Add pod IP addresses to an ApsaraDB RDS whitelist

Add two annotations to your Deployment's pod spec to tell ack-kubernetes-webhook-injector which RDS instance and whitelist group to update:

Annotation	Description
`ack.aliyun.com/rds_id`	The ID of the ApsaraDB RDS instance
`ack.aliyun.com/white_list_name`	The name of the ApsaraDB RDS whitelist group

Deploy and verify

Create a Deployment with the required annotations. Replace <rm-wz9nanjcud75b****> with your RDS instance ID and <rds_group> with your whitelist group name.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: inject-test
  name: inject-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inject-test
  template:
    metadata:
      annotations:
        ack.aliyun.com/rds_id: <rm-wz9nanjcud75b****>
        ack.aliyun.com/white_list_name: <rds_group>
      labels:
        app: inject-test
    spec:
      containers:
      - command:
        - sleep
        - "3600"
        image: alpine:latest
        name: inject-test

Get the IP address of the running pod:

kubectl --kubeconfig .kube/config_sts_test -n inject-test get pod -o wide

The output is similar to:

NAME                           READY   STATUS    RESTARTS   AGE   IP            NODE
inject-test-68cc8f9bbf-gj86n   1/1     Running   0          22s   172.25.0.28   cn-hangzhou.xxx

The pod IP address in this example is 172.25.0.28.

Log on to the ApsaraDB RDS console and check the whitelist of your RDS instance. The pod IP address appears in the configured whitelist group. For details on viewing an RDS whitelist, see Configure an enhanced IP address whitelist.
Scale the Deployment to 0 replicas, then check the RDS whitelist again. The pod IP address is automatically removed from the whitelist.

Add pod IP addresses to an SLB ACL or ApsaraDB for Redis whitelist

Use the following annotations to configure access control for SLB and ApsaraDB for Redis:

Service	Annotation	Description
SLB ACL	`ack.aliyun.com/access_control_policy_id`	The ID of the SLB ACL
ApsaraDB for Redis	`ack.aliyun.com/redis_id`	The ID of the ApsaraDB for Redis instance
ApsaraDB for Redis	`ack.aliyun.com/white_list_name`	The name of the ApsaraDB for Redis whitelist group

Add these annotations to the pod spec of your Deployment, following the same pattern as the RDS example.

Use the internal endpoint

By default, ack-kubernetes-webhook-injector calls Alibaba Cloud service APIs over the public endpoint. If your cluster has no public internet access, switch to the internal endpoint.

Not all Alibaba Cloud services provide internal endpoints in every region. Check OpenAPI Explorer to confirm availability before switching.

Log on to the ACK console. In the left-side navigation pane, click Clusters.
Click the name of your cluster. In the left-side pane, choose Workloads > Deployments.
In the top navigation bar, select kube-system from the Namespace drop-down list. Find the kubernetes-webhook-injector Deployment, then choose More > View in YAML in the Actions column.
Add - '--intranet-access' below spec.template.spec.containers.command, then click Update.

Uninstall ack-kubernetes-webhook-injector

Uninstall the component using the Helm release management feature in ACK. For details, see Manage releases by using Helm.

After uninstalling, run the following commands to remove the related configurations:

kubectl -n kube-system delete secret kubernetes-webhook-injector-certs
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector