Configuring an Access Policy for a Service

Overview

You can add IP addresses to a trustlist or blocklist to control access to a load balancer associated with the Service.

Trustlist: Only the IP addresses in the list can access the load balancer.
Blocklist: IP addresses in the list are not allowed to access the load balancer.

Prerequisites

IP address groups have been created on the ELB console. For details, see Creating an IP Address Group.

Configuring an Access policy

Log in to the CCI 2.0 console.
In the navigation pane, choose Services. On the right of the page, click Create from YAML.

Import or add the YAML file of the Service. For details about the parameters, see Table 1.

The following is an example YAML file:

Resource description in the service.yaml file

apiVersion: cci/v2
kind: Service
metadata:
  name: kubectl-test
  namespace: kubectl
  annotations:
    kubernetes.io/elb.class: elb
    kubernetes.io/elb.id: 1234567890 # Load balancer ID. Only dedicated load balancers are supported.
    kubernetes.io/elb.acl-id: <your_acl_id>               # ID of an IP address group for accessing the load balancer
    kubernetes.io/elb.acl-type: 'white'                   # Trustlist for access control
spec:
  selector:
    app: kubectl-test
  ports:
    - name: service-0
      targetPort: 80   # Container port
      port: 12222      # Access port (load balancer's port for accessing the workload)
      protocol: TCP    # Protocol used to access the workload
  type: LoadBalancer

Resource description in the service.json file

{
	"apiVersion": "cci/v2",
	"kind": "Service",
	"metadata": {
		"name": "kubectl-test",
		"namespace": "kubectl",
		"annotations": {
                        "kubernetes.io/elb.class": "elb"
			"kubernetes.io/elb.id": "1234567890"  # Load balancer ID. Only dedicated load balancers are supported.
                        kubernetes.io/elb.acl-id: <your_acl_id>               # ID of an IP address group for accessing the load balancer                        
                        "kubernetes.io/elb.acl-type": "white"                   # Trustlist for access control
		}
	},
	"spec": {
		"selector": {
			"app": "kubectl-test"
		},
		"ports": [
			{
				"name": "service-0",
				"targetPort": 80,     # Container port
				"port": 12222,        # Access port (load balancer's port for accessing the workload)
				"protocol": "TCP",    #Protocol used to access the workload
				"type": "LoadBalancer"
			}
		]
	}
}

Click OK. Access the workload through the load balancer's IP address and port in the format of <IP-address>:<port>.
- If a trustlist is used for access control, only the IP addresses in the trustlist can access the load balancer.
- If a blocklist is used for access control, the IP addresses in the blocklist cannot access the load balancer.

**Table 1** Annotations for ELB access control
Parameter	Type	Description
kubernetes.io/elb.acl-id	String	If this parameter is not specified, CCI does not modify access control on ELB. If this parameter is set to the IP address group ID of the load balancer, access control is enabled, and you need to configure an IP address blocklist or trustlist for the load balancer. You can enter a maximum of five IP address group IDs separated by commas (,). To obtain an IP address group ID, take the following steps: Log in to the console. In the Service List, choose Networking > Elastic Load Balance. On the Network Console, choose Elastic Load Balance > IP Address Groups and copy the ID of the target IP address group. For details, see IP Address Group.
kubernetes.io/elb.acl-type	String	This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. black: The selected IP address group cannot access the load balancer. white: Only the selected IP address group can access the load balancer. If kubernetes.io/elb.acl-id is specified but kubernetes.io/elb.acl-type is not, the trustlist is used by default.