Configure a blacklist or whitelist of source IP addresses by using an AlbConfig to enable access control - Container Service for Kubernetes

When you use an Application Load Balancer (ALB) Ingress to expose Services, you can configure access control lists (ACLs) to allow or deny requests from clients that use specific IP addresses to access the Services. This topic describes how to use an AlbConfig to create or modify an ACL and associate the ACL with a listener.

How ACLs work

ALB Ingresses implement fine-grained control over requests from clients that use specific IP addresses by associating ACLs with listeners and configuring whitelists or blacklists. An ACL contains a group of CIDR blocks. After you associate an ACL with a listener by using an AlbConfig, the listener uses the entries in the ACL to match the source IP addresses from which requests are sent to access the backend Service. You can use one of the following methods to control the requests:

Configure a whitelist to allow only requests from the source IP addresses that match the entries in the ACL to access the backend Service.
Configure a blacklist to deny the requests from the source IP addresses that match the entries in the ACL from accessing the backend Service.

Important

An ACL supports access control by using only IPv4 addresses.

The following figure shows how ACLs work.

Configuration methods

The following table describes the methods that you can use to associate a listener with an ACL. We recommend that you use the aclIds parameter.

Item	Use the aclIds parameter	Use the aclEntries parameter
Version of the ALB Ingress controller	The ALB Ingress controller 2.7.0 and later supports this parameter.	All versions of the ALB Ingress controller support this parameter.
Association with an existing ACL	You can use the ID of an existing ACL to associate a listener with the ACL.	The ALB Ingress controller 2.7.0 and later does not allow you to associate a listener with an existing ACL.
Method for creating an ACL	You must manually create an ACL in the Server Load Balancer (SLB) console before you use the ACL.	You can create an ACL by using an AlbConfig.
Use scenario	This method is suitable for scenarios in which you need to frequently change entries in an ACL and want to maintain the ACL in a cost-effective manner.	This method is suitable for scenarios in which you want to enable access control by using a small number of listeners and ACLs that contain a small number of entries.

Important

The aclIds and aclEntries parameters are mutually exclusive in the ACL configuration. You can use only one of them to configure an ACL for a listener. If you use both parameters at the same time, an error occurs.
In the ALB Ingress controller 2.7.0 and later, you can only use the aclIds parameter to associate an existing ACL with a listener.

Prerequisites

An AlbConfig is created, and a listener is configured by using the AlbConfig. The aclConfig parameter is associated with the listener for use.

Use the aclIds parameter to associate a listener with an ACL

Step 1: Create an ACL

Before you enable access control, you must create an ACL.

Log on to the ALB console.
In the top navigation bar, select the region in which you want to create the ACL.
In the left-side navigation pane, choose Application Load Balancer > Access Control.
On the Access Control page, click Create Access Control List.

In the Create ACL dialog box, configure the following parameters and click OK.

Parameter	Description
ACL Name	Enter a name for the network ACL.
Resource Group	Select a resource group.
Tag	Configure the Tag Key and Tag Value parameters. After you specify tags, you can filter ACLs by tag on the Access Control page.

Step 2: Add entries to the ACL

After you create an ACL, you can add entries to the ACL. ACL entries specify the source IP addresses or CIDR blocks from which requests are sent to your ALB instance. You can add multiple entries to each ACL.

On the Access Control page, find the ACL that you want to manage and click Manage in the Operations column.
On the Entry tab of the ACL details page, use one of the following methods to add entries:
- Add a single IP address or CIDR block
  Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters. Then, click Add.
- Add multiple IP addresses or CIDR blocks at a time
  Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks. Then, click Add.
  Note
  When you add multiple entries at a time, take note of the following items:
  Enter one entry per line. Press the ENTER key to start a new line.
  Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks within an entry. For example, you can enter 192.168.1.0/24|Remarks.
  You can add at most 20 entries at a time.
After you add entries, perform the following operations based on your business requirements:
- View the IP addresses or CIDR blocks that you added in the Entry column.
- Delete entries. To do so, find the entry that you want to delete and click Delete in the Actions column. You can also select the entries that you want to delete and click Delete below the list.
- To export entries, click the icon in the upper-right corner of the list to export all entries, or select the entries that you want to export and click the icon.

Step 3: Associate the ACL with a listener

The following sample YAML code adds the spec.listeners.aclConfig parameter to the existing AlbConfig and specifies the ID of the created ACL as the value of the aclIds parameter. In this example, the ID of the created ACL is acl-wtg***.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
  #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White # The whitelist mode.
        aclIds:  
          - acl-wtg***	# Add the ID of the existing ACL to the ACL configuration. In this example, the ID of the existing ACL is acl-wtg***. 
	#...

The following table describes the parameters in aclConfig.

Parameter	Description
`aclType`	The type of the ACL. Valid values: Black and White.
`aclIds`	The ID of the ACL to be associated with a listener. Important Each listener can be associated with up to three ACLs.

Step 4: Verify the access control effect

You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.

In this example, the resources that are created in the Get started with ALB Ingress topic are used.

If the access from the client is allowed, the client can access the backend Service as expected.

Step 5: (Optional) Disassociate the ACL from the listener

In the following YAML file, if you want to disassociate the ACL from the listener, you need to only remove the ID of the ACL from the value of the aclIds parameter or change the value of the aclIds parameter to null.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White
        aclIds: null  # Remove the ID of the existing ACL from the value of this parameter. In this example, the ID of the existing ACL is acl-wtg***. 
  #...

Note

You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.

Use the aclEntries parameter to create an ACL

Important

In the ALB Ingress controller 2.7.0 and later, you can no longer use the aclName parameter to associate existing ACLs with listeners. Each time you update the parameters in aclName, a new ACL is created and associated with a listener.
The ALB Ingress controller 2.6.0 and earlier supports the write-back mechanism. The following section describes how the write-back mechanism works:
- If the aclConfig parameter is left empty in an AlbConfig, the entries of the ACL associated with the listener are written back to the AlbConfig.
- If the aclConfig parameter is configured or the entries of the ACL associated with the listener are written back to the AlbConfig, the AlbConfig remains unchanged.
If the Ingress resources are changed, the ALB Ingress controller uses the configured AlbConfig to overwrite the ACL configuration in the console. In this case, you need to maintain the configuration consistency.

Step 1: Configure the entries in an ACL

The following sample YAML code adds or modifies the spec.listeners.aclConfig parameter in the existing AlbConfig and specifies CIDR blocks in the aclEntries parameter. If a value is specified in the aclName parameter, an ACL is created and uses the value as its name. If no value is specified in the aclName parameter, a name is automatically generated in the format of acl-{albName}-{port}.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries: 
          - 192.168.XX.XX/16
          - 172.10.XX.XX/16
        aclType: White # The whitelist mode.
        aclName: "acl-test" # An ACL named acl-test is created and associated with a listener.
  #...

The following table describes the parameters in aclConfig.

Parameter	Description
`aclEntries`	The entries of the ACL. The entries must be CIDR blocks, such as 127.0.0.1/32.
`aclType`	The type of the ACL. Valid values: Black and White.
`aclName`	The name of the ACL.

Step 2: Verify the access control effect

You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.

In this example, the resources that are created in the Get started with ALB Ingress topic are used.

If the access from the client is allowed, the client can access the backend Service as expected.

Step 3: (Optional) Remove the ACL

The following sample YAML code shows how to remove the ACL by updating the AlbConfig. The sample code removes the ACL of the whitelist type that contains the 172.10.XX.XX/16 CIDR block. The updated aclEntries parameter in the AlbConfig is synchronized to the associated ACL. In this example, the ACL is named acl-test. If the aclEntries parameter is left empty, all entries are removed from the ACL.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries: 
          - 192.168.XX.XX/16
        aclType: White
        aclName: "acl-test" # The 172.10.XX.XX/16 entry in the acl-test ACL is also removed.
  #...

Note

You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.

References

You can configure ACLs for the API server of a cluster. For more information, see Configure network ACLs for the API server of an ACK cluster.
The inbound and outbound traffic of nodes in a cluster is controlled by security groups. For more information about how to configure a security group, see Configure security groups for clusters.