Available in VPC
When using KVM-based Ncloud Kubernetes Service, you can declaratively manage Load Balancer Access Control Lists (ACLs) in Kubernetes through custom resource definitions. This allows you to apply ACLs to Services and Ingresses deployed in Kubernetes to control access to subnets. This feature is available starting from Ncloud Kubernetes Service version 1.34.
- To use the ACL feature, you must set either
service.beta.kubernetes.io/ncloud-load-balancer-enable-acl-operatoron the Service where the ACL is to be registered oralb.ingress.kubernetes.io/enable-acl-operatoron the Ingress to"true". If the annotation is not set, state synchronization may not function properly.
Example of applying an ACL to a Load Balancer instance integrated with Ncloud Kubernetes Service
To apply an ACL to a Load Balancer instance integrated with Ncloud Kubernetes Service, you must create a Service object of the Load Balancer type. Copy the following code and save it as service.yaml.
apiVersion: v1
kind: Service
metadata:
name: test-lb
annotations:
service.beta.kubernetes.io/ncloud-load-balancer-enable-acl-operator: "true"
spec:
type: LoadBalancer
selector:
app: test-lb
ports:
- protocol: TCP
port: 80
targetPort: 80
name: http
- protocol: TCP
port: 443
targetPort: 443
name: https
- protocol: TCP
port: 8080
targetPort: 8080
name: api
Run the following command to deploy the Service:
kubectl apply -f service.yaml
After the Service object is deployed, a Load Balancer is created, featuring 3 listeners registered under the instance to correspond to the 3 specified ports. To define the Access Control List to be bound to each listener, copy the following code and save it as acl.yaml.
apiVersion: loadbalancer.vnks.ncloud.com/v1alpha1
kind: AccessControlList
metadata:
name: example-acl
spec:
rules:
- priority: 1
action: DENY
ipBlockCidr: 0.0.0.0/0
portRange: 1-65535
Run the following command to deploy the Access Control List:
kubectl apply -f acl.yaml
The Access Control List object has fields similar to an ACL, such as priority, policy, CIDR, and port range. After you deploy the object, an ACL is created with priority 1, source 0.0.0.0/0, ports 1-65535, and the ALLOW action. For spec.rules[].action, you can use "DENY" or "ALLOW." If the object is deployed successfully, run the following command to check the ACL associated with the object:
kubectl get acl example-acl -o jsonpath='{.status}'
To view the full specification of the Access Control List object, run the following command:
kubectl get crds accesscontrollists.loadbalancer.vnks.ncloud.com -o yaml
Next, you can link the created ACL to a Service object of the Load Balancer type by deploying an Access Control List Binding object. To associate the ACL with the Service object, copy the following code and save it as aclbinding.yaml.
apiVersion: loadbalancer.vnks.ncloud.com/v1alpha1
kind: AccessControlListBinding
metadata:
name: example-aclb
spec:
loadBalancerRef:
serviceRef: test-lb
bindingMap:
- accessControlListName: example-acl
port: 80
protocol: TCP
- accessControlListName: example-acl
port: 443
protocol: TCP
- accessControlListName: example-acl
port: 8080
protocol: TCP
Run the following command to deploy the Access Control List Binding:
kubectl apply -f aclbinding.yaml
This object defines which Access Control List object to link to the listeners of the Load Balancer instance created by the Service object. In this example, an ACL is assigned to block all access to TCP ports 80, 443, and 8080 on the Load Balancer instance, preventing communication. The currently supported values for spec.loadBalancerRef are serviceRef: <service-name> and ingressRef: <ingress-name>. The Access Control List Binding object and the specified Service and Ingress objects must be in the same namespace.
Run the following command to check the status of the ACL associated with the Load Balancer listener:
kubectl get aclb example-aclb -o jsonpath='{.status}'
To view the full specification of the Access Control List Binding object, run the following command:
kubectl get crds accesscontrollistbindings.loadbalancer.vnks.ncloud.com -o yaml