Configuring ingress cluster traffic using load balancer allowed source ranges
You can specify a list of IP address ranges for the Ingress Controller. This action restricts access to the load balancer service when you specify the LoadBalancerService value for the endpointPublishingStrategy parameter.
Configuring load balancer allowed source ranges
You can enable and configure the spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges parameter. By configuring load balancer allowed source ranges, you can limit the access to the load balancer for the Ingress Controller to a specified list of IP address ranges.
The Ingress Operator reconciles the load balancer Service and sets the spec.loadBalancerSourceRanges parameter based on AllowedSourceRanges.
Note
If you have already set the spec.loadBalancerSourceRanges parameter or the load balancer service anotation service.beta.kubernetes.io/load-balancer-source-ranges in a previous version of OpenShift Container Platform, Ingress Controller starts reporting Progressing=True after an upgrade. To fix this, set AllowedSourceRanges that overwrites the spec.loadBalancerSourceRanges parameter and clears the service.beta.kubernetes.io/load-balancer-source-ranges annotation. Ingress Controller starts reporting Progressing=False again.
-
You have a deployed Ingress Controller on a running cluster.
-
Set the allowed source ranges API for the Ingress Controller by running the following command:
$ oc -n openshift-ingress-operator patch ingresscontroller/default \ --type=merge --patch='{"spec":{"endpointPublishingStrategy": \ {"type":"LoadBalancerService", "loadbalancer": \ {"scope":"External", "allowedSourceRanges":["0.0.0.0/0"]}}}}'where:
allowedSourceRanges-
The example value
0.0.0.0/0specifies the allowed source range.
Migrating to load balancer allowed source ranges
To ensure long-term compatibility and use stable API parameters in OpenShift Container Platform, migrate from the legacy service.beta.kubernetes.io/load-balancer-source-ranges annotation to load balancer allowed source ranges.
When you set the AllowedSourceRanges, the Ingress Controller sets the spec.loadBalancerSourceRanges parameter based on the AllowedSourceRanges value and unsets the service.beta.kubernetes.io/load-balancer-source-ranges annotation.
Note
If you have already set the spec.loadBalancerSourceRanges parameter or the load balancer service anotation service.beta.kubernetes.io/load-balancer-source-ranges in a previous version of OpenShift Container Platform, the Ingress Controller starts reporting Progressing=True after an upgrade. To fix this, set AllowedSourceRanges that overwrites the spec.loadBalancerSourceRanges parameter and clears the service.beta.kubernetes.io/load-balancer-source-ranges annotation. The Ingress Controller starts reporting Progressing=False again.
-
You have set the
service.beta.kubernetes.io/load-balancer-source-rangesannotation.
-
Check that the
service.beta.kubernetes.io/load-balancer-source-rangesis set by entering the following command:$ oc get svc router-default -n openshift-ingress -o yamlExample outputapiVersion: v1 kind: Service metadata: annotations: service.beta.kubernetes.io/load-balancer-source-ranges: 192.168.0.1/32 -
Check that the
spec.loadBalancerSourceRangesparameter is unset by entering the following command:$ oc get svc router-default -n openshift-ingress -o yamlExample output... spec: loadBalancerSourceRanges: - 0.0.0.0/0 ... -
Update your cluster to OpenShift Container Platform 4.19.
-
Set the allowed source ranges API for the
ingresscontrollerby running the following command:$ oc -n openshift-ingress-operator patch ingresscontroller/default \ --type=merge --patch='{"spec":{"endpointPublishingStrategy": \ {"loadBalancer":{"allowedSourceRanges":["0.0.0.0/0"]}}}}'where:
allowedSourceRanges-
The example value
0.0.0.0/0specifies the allowed source range.