Configuring ingress cluster traffic using load balancer allowed source ranges

    You can enable and configure the spec.endpointPublishingStrategy.loadBalancer.allowedSourceRanges field. By configuring load balancer allowed source ranges, you can limit the access to the load balancer for the Ingress Controller to a specified list of IP address ranges. The Ingress Operator reconciles the load balancer Service and sets the spec.loadBalancerSourceRanges field based on AllowedSourceRanges.

    Prerequisites

    • You have a deployed Ingress Controller on a running cluster.

    Procedure

    If you have already set the annotation service.beta.kubernetes.io/load-balancer-source-ranges, you can migrate to load balancer allowed source ranges. When you set the AllowedSourceRanges, the Ingress Controller sets the spec.loadBalancerSourceRanges field based on the AllowedSourceRanges value and unsets the service.beta.kubernetes.io/load-balancer-source-ranges annotation.

    Prerequisites

    • You have set the service.beta.kubernetes.io/load-balancer-source-ranges annotation.

    Procedure

      1. $ oc get svc router-default -n openshift-ingress -o yaml

      Example output

    2. Ensure that the spec.loadBalancerSourceRanges field is unset:

        Example output

      1. Update your cluster to OKD 4.13.

        1. $ oc -n openshift-ingress-operator patch ingresscontroller/default \
        2.     --type=merge --patch='{"spec":{"endpointPublishingStrategy": \