Configuring a Blocklist/Trustlist Access Policy for a LoadBalancer Ingress
You can add IP addresses to a trustlist or blocklist to control access to a listener of a LoadBalancer ingress.
- Trustlist: Only the IP addresses in the list can access the listener.
- Blocklist: The IP addresses in the list are not allowed to access the listener.
Prerequisites
- A Kubernetes cluster is available and the cluster version meets the following requirements:
- v1.23: v1.23.12-r0 or later
- v1.25: v1.25.7-r0 or later
- v1.27: v1.27.4-r0 or later
- v1.28: v1.28.2-r0 or later
- Other clusters of later versions
- An IP address group has been created on the ELB console. For details, see Creating an IP Address Group.
Using the CCE Console
- Log in to the CCE console and click the cluster name to access the cluster console.
- Choose Services & Ingresses in the navigation pane, click the Ingresses tab, and click Create Ingress in the upper right corner.
- Configure access control parameters for the ingress.
- Allow all IP addresses: No access control is configured.
- Trustlist: Only the selected IP address group can access the load balancer.
- Blocklist: The selected IP address group cannot access the load balancer.
For details about how to configure other parameters, see Creating a LoadBalancer Ingress on the Console.
- Click OK.
Using kubectl
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-test annotations: kubernetes.io/elb.id: <your_elb_id> # Load balancer ID. Replace it with the actual value. kubernetes.io/elb.class: performance # Load balancer type kubernetes.io/elb.port: '80' # External port of the load balancer listener kubernetes.io/elb.acl-id: <your_acl_id> # ID of an IP address group for accessing a load balancer kubernetes.io/elb.acl-status: 'on' # Enable access control. kubernetes.io/elb.acl-type: 'white' # Trustlist for access control spec: rules: - host: '' http: paths: - path: '/' backend: service: name: <your_service_name> # Replace it with the name of your target Service. port: number: 8080 # Replace 8080 with the port number of your target Service. property: ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH pathType: ImplementationSpecific ingressClassName: cce
Parameter |
Type |
Description |
---|---|---|
kubernetes.io/elb.acl-id |
String |
|
kubernetes.io/elb.acl-status |
String |
This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:
|
kubernetes.io/elb.acl-type |
String |
This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot