When you create a Container Service for Kubernetes (ACK) cluster, the system automatically creates an internal-facing Classic Load Balancer (CLB) instance for the API server of the cluster. The CLB instance serves as the internal endpoint of the API server. If you require fine-grained access control on the API server, you can configure network access control lists (ACLs) for the listener of the CLB instance that listens on port 6443. You can configure network ACLs as whitelists or blacklists to limit access to the API server. This topic describes how to control access to the API server by configuring a listener for the internal-facing CLB instance of the API server.
Background information
You can configure access control for each listener of a CLB instance. You can configure access control when you create a listener or modify the access control settings of an existing listener. For more information, see Access control.
To configure access control for the listeners of an Internet-facing CLB instance, you can create a network ACL and add public IP addresses to the network ACL. The procedure is similar to the steps in this topic.
Procedure
You can configure whitelists or blacklists for different listeners to accept or block access from specific IP addresses.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and click Cluster Information in the left-side navigation pane.
On the Cluster Information page, click the Basic Information tab. In the Cluster Information section, find and click Set access control next to API server Internal Endpoint.
In the SLB Console, turn on Access Control in the Configure Access Control panel, set ACL Type to Whitelist or Blacklist, select a network ACL, and then click OK.
Before you enable access control, you need to create a network ACL. For more information about how to create a network ACL, see Create an ACL. For more information about how to enable access control, see Enable access control.
ImportantYou need to configure the network ACL to accept access from the following CIDR blocks:
The control plane CIDR block of Container Service for Kubernetes: 100.104.0.0/16.
The primary CIDR block and the secondary CIDR blocks (if any) of the virtual private cloud (VPC) where the cluster resides, or the vSwitch CIDR block of the nodes in the cluster.
The public CIDR blocks used by clients that need to access the CLB instance of the API server.
The public CIDR blocks used by edge nodes if your cluster is an ACK Edge cluster.
The Vital Product Data (VPD) CIDR blocks if your cluster is an ACK Lingjun cluster.
You must configure the network ACL to accept access from the preceding CIDR blocks. Do not block access from the preceding CIDR blocks.