Updated on 2025-06-26 GMT+08:00

Configuring an Access Policy for a Service

Overview

You can add IP addresses to a trustlist or blocklist to control access to a load balancer associated with the Service.

  • Trustlist: Only the IP addresses in the list can access the load balancer.
  • Blocklist: IP addresses in the list are not allowed to access the load balancer.

Prerequisites

IP address groups have been created on the ELB console. For details, see Creating an IP Address Group.

Configuring an Access policy

  1. Log in to the CCI 2.0 console.
  2. In the navigation pane, choose Services. On the right of the page, click Create from YAML.
  3. Import or add the YAML file of the Service. For details about the parameters, see Table 1.

    The following is an example YAML file:

    • Resource description in the service.yaml file
      apiVersion: cci/v2
      kind: Service
      metadata:
        name: kubectl-test
        namespace: kubectl
        annotations:
          kubernetes.io/elb.class: elb
          kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported.
          kubernetes.io/elb.acl-id: <your_acl_id>               # ID of an IP address group for accessing the load balancer
          kubernetes.io/elb.acl-type: 'white'                   # Trustlist for access control
      spec:
        selector:
          app: kubectl-test
        ports:
          - name: service-0
            targetPort: 80   # Container port
            port: 12222      # Access port (load balancer's port for accessing the workload)
            protocol: TCP    # Protocol used to access the workload
        type: LoadBalancer
    • Resource description in the service.json file
      {
      	"apiVersion": "cci/v2",
      	"kind": "Service",
      	"metadata": {
      		"name": "kubectl-test",
      		"namespace": "kubectl",
      		"annotations": {
                              "kubernetes.io/elb.class": "elb"
      			"kubernetes.io/elb.id": "1234567890"  # Load balancer ID. Only dedicated load balancers are supported.
                              kubernetes.io/elb.acl-id: <your_acl_id>               # ID of an IP address group for accessing the load balancer                        
                              "kubernetes.io/elb.acl-type": "white"                   # Trustlist for access control
      		}
      	},
      	"spec": {
      		"selector": {
      			"app": "kubectl-test"
      		},
      		"ports": [
      			{
      				"name": "service-0",
      				"targetPort": 80,     # Container port
      				"port": 12222,        # Access port (load balancer's port for accessing the workload)
      				"protocol": "TCP",    #Protocol used to access the workload
      				"type": "LoadBalancer"
      			}
      		]
      	}
      }

  4. Click OK. Access the workload through the load balancer's IP address and port in the format of <IP-address>:<port>.

    • If a trustlist is used for access control, only the IP addresses in the trustlist can access the load balancer.
    • If a blocklist is used for access control, the IP addresses in the blocklist cannot access the load balancer.

Table 1 Annotations for ELB access control

Parameter

Type

Description

kubernetes.io/elb.acl-id

String

  • If this parameter is not specified, CCI does not modify access control on ELB.
  • If this parameter is set to the IP address group ID of the load balancer, access control is enabled, and you need to configure an IP address blocklist or trustlist for the load balancer.
  • You can enter a maximum of five IP address group IDs separated by commas (,).
  • To obtain an IP address group ID, take the following steps:

    Log in to the console. In the Service List, choose Networking > Elastic Load Balance. On the Network Console, choose Elastic Load Balance > IP Address Groups and copy the ID of the target IP address group. For details, see IP Address Group.

kubernetes.io/elb.acl-type

String

This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer.

  • black: The selected IP address group cannot access the load balancer.
  • white: Only the selected IP address group can access the load balancer.

If kubernetes.io/elb.acl-id is specified but kubernetes.io/elb.acl-type is not, the trustlist is used by default.