All Products
Search

This Product

    Container Service for Kubernetes:Dynamically add the IP addresses of pods to the whitelists of Alibaba Cloud services

    Document Center

    Container Service for Kubernetes:Dynamically add the IP addresses of pods to the whitelists of Alibaba Cloud services

    Last Updated:Mar 25, 2026

    ack-kubernetes-webhook-injector keeps cloud service whitelists in sync with your pod lifecycle. When a pod starts, the component automatically adds the pod's IP address to the specified whitelist. When the pod is deleted, the IP address is removed. This gives you fine-grained, automatic access control without manual updates.

    Supported services

    ServiceAnnotation (instance ID)Annotation (whitelist name)
    ApsaraDB RDSack.aliyun.com/rds_idack.aliyun.com/white_list_name
    ApsaraDB for Redisack.aliyun.com/redis_idack.aliyun.com/white_list_name
    Server Load Balancer (SLB) access control list (ACL)ack.aliyun.com/access_control_policy_id_(not applicable)_

    Limits and considerations

    • The component requires the Terway network plug-in.

    • The component only supports ACK managed clusters.

    • The AccessKey pair used during installation must have permissions to manage the target cloud services (ApsaraDB RDS, ApsaraDB for Redis, or SLB).

    • Not all Alibaba Cloud services provide internal endpoints in every region. Check endpoint availability on OpenAPI Explorer before switching to internal endpoint access.

    • For ApsaraDB RDS and ApsaraDB for Redis, add annotations to spec.template.metadata.annotations (the pod template), not to metadata.annotations (the Deployment).

    Prerequisites

    Before you begin, ensure that you have:

    Install ack-kubernetes-webhook-injector

    1. Log on to the ACK console. In the left-side navigation pane, choose Marketplace > Marketplace.

    2. Find and click ack-kubernetes-webhook-injector. In the upper-right corner of the page, click Deploy.

    3. In the panel that appears, select a cluster and namespace, enter a release name, and click Next.

    4. On the Parameters wizard page, select a chart version. In the openapi section, set ak to your AccessKey ID and sk to your AccessKey Secret, then click OK.

      AK

    Add pod IP addresses to a whitelist

    After installation, annotate the pod template in your Deployment to specify the target service instance and whitelist. The component reads these annotations and handles all whitelist updates automatically.

    Add pod IP addresses to an ApsaraDB RDS whitelist

    1. Create a Deployment with the RDS annotations. Replace <rm-wz9nanjcud75b****> with your RDS instance ID and <rds_group> with the name of the whitelist group. Add the annotations to spec.template.metadata.annotations (the pod template), not to metadata.annotations (the Deployment).

      apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: inject-test
  name: inject-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: inject-test
  template:
    metadata:
      annotations:
        ack.aliyun.com/rds_id: <rm-wz9nanjcud75b****>
        ack.aliyun.com/white_list_name: <rds_group>
      labels:
        app: inject-test
    spec:
      containers:
      - command:
        - sleep
        - "3600"
        image: alpine:latest
        name: inject-test

    2. After the pod starts, get the pod's IP address:

      kubectl --kubeconfig .kube/config_sts_test -n inject-test get pod -o wide

      Expected output:

      NAME                           READY   STATUS    RESTARTS   AGE   IP            NODE
inject-test-68cc8f9bbf-gj86n   1/1     Running   0          22s   172.25.0.28   cn-hangzhou.xxx

    3. Log on to the ApsaraDB RDS console and check the whitelist of the RDS instance. The pod's IP address (for example, 172.25.0.28) should appear in the specified whitelist group. For more information, see Configure an enhanced IP address whitelist.

    4. To verify that the IP address is removed when the pod is deleted, scale the Deployment to 0 replicas and check the RDS whitelist again. The pod's IP address is no longer listed in the whitelist.

    Add pod IP addresses to an ApsaraDB for Redis whitelist

    Add the following annotations to spec.template.metadata.annotations in your Deployment. Replace <redis-instance-id> with your Redis instance ID and <redis_group> with the whitelist group name.

    annotations:
  ack.aliyun.com/redis_id: <redis-instance-id>
  ack.aliyun.com/white_list_name: <redis_group>

    Add pod IP addresses to an SLB ACL

    Add the following annotation to spec.template.metadata.annotations in your Deployment. Replace <acl-id> with the ID of your SLB access control policy.

    annotations:
  ack.aliyun.com/access_control_policy_id: <acl-id>

    Use an internal endpoint

    By default, ack-kubernetes-webhook-injector calls the public endpoint of each Alibaba Cloud service. If your cluster has public access disabled, configure the component to use internal endpoints instead.

    Not all Alibaba Cloud services provide internal endpoints in every region. Check endpoint availability on OpenAPI Explorer before proceeding.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of your cluster. In the left-side pane, choose Workloads > Deployments.

    3. In the top navigation bar, select kube-system from the Namespace drop-down list. Find the kubernetes-webhook-injector Deployment, and in the Actions column, choose More > View in YAML.

      image.png

    4. Under spec.template.spec.containers.command, add - '--intranet-access', then click Update.

      image.png

    Uninstall ack-kubernetes-webhook-injector

    Uninstall the component using the Helm release management feature in ACK. See Manage releases by using Helm.

    After uninstalling the release, delete the related configurations:

    kubectl -n kube-system delete secret kubernetes-webhook-injector-certs
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io kubernetes-webhook-injector