Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict CIDR ip addresses for a LoadBalancer type service #614

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

asproul
Copy link

@asproul asproul commented Dec 16, 2024

What was changed

Restrict IP addresses for load balancers created for the frontend service by adding the spec.loadBalancerSourceRanges for the LoadBalancer type.

Why?

I am self-hosting temporal on a Google Kubernetes Engine (GKE) cluster running temporal workflows. I have exposed the frontend service as an internal load balancer to my Cloud Run service (which initiates the temporal workflows) but, by default, the firewall rule created by the GKE service sets a source as "0.0.0.0/0". I am required to further restrict the allowed source ip range to specific subnets.

GCP guide about restricting ip addresses based on CIDRs in spec.loadBalancerSourceRanges[]. Additionally, AWS documentation states that spec.loadBalancerSourceRanges[] is used to restrict IP addresses.

Checklist

  1. How was this tested:
cd charts/temporal

helm template render \
-f values.yaml \
--set "server.frontend.service.loadBalancerSourceRanges={1.1.1.1/8,2.2.2.2/8}" ./ \
| grep loadBalancerSourceRanges -A 3 -B 3

output is

    app.kubernetes.io/part-of: temporal
spec:
  type: ClusterIP
  loadBalancerSourceRanges:
    - 1.1.1.1/8
    - 2.2.2.2/8
  ports:
  • Rendered the template locally.
  • Deployed the changes to my development google kubernetes engine cluster.
  • Verified that the firewall rules concerning this frontend service changed the sourceIP from 0.0.0.0/0 to the ip range I specified in the server.frontend.service.loadBalancerSourceRanges from my helm values.yaml file.
  1. Any docs updates needed?
    No

Restrict which CIDR ranges are added to firewall rules if LoadBalancerSourceRanges is respected by the Cloud Service Provider.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant