Deny direct IP access to an application deployed in Kubernetes

Sebastian

3/17/23, 1:31 PM

I have a NodeJS application with express.js as a backend framework deployed on cloud using Kubernetes. The K8s runs on top of an Ubuntu template. The application deployed in Kubernetes is of service type NodePort. This means the app uses the external IP address of the K8s nodes. In my case, it's currently using an external IP address of one of the master nodes.

I then assigned a DNS hostname for the application using Cloudflare Tunnel (aka Argo Tunnel). It works perfectly fine as I can access the application from outside the K8s cluster with the DNS hostname that was resolved. However, I can also access the application directly from a.b.c.d: 31130. Here is a snippet from config.yml file used in creating Cloudflare tunnel:

tunnel: ***********8ab68bscjbi9cddhujhdhbh
credentials-file: /home/sebastian/.cloudflared/***********8ab68bscjbi9cddhujhdhbh.json

ingress:
  - hostname: myapp.test.io
    service: http://a.b.c.d:31130
  - service: http_status:404

My concern here is, how to deny or block direct IP access to the application as I do not wish to reveal the IP address and make life hard for myself from the security standpoint?

Does this have to be configured from within Cloudflare or K8s cluster is also my doubt. Any feedbacks and suggestion would be appreciated.

119

0 + 0

domain-name-system

kubernetes

Score:1

Server

Rajesh Dutta

3/28/23, 9:51 PM

From kubernetes perspective, Ingress-controller it's a standard way to expose HTTP backend over TLS connection from cluster to client.

You can publish the application using TLS certificates. When creating TLS certificate you can specify the alternative names which you would allow for your application. Other names or IP address will not be allowed to access the website.

Here is an example of alternative names. We can remove the IP addresses if we don't wish to allow access using IP.

X509v3 Subject Alternative Name:
                DNS:kmaster, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:172.16.16.100

Ingress TLS Examples https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/tls-termination

Alternative Names https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Deny direct IP access to an application deployed in Kubernetes

TH: ปฏิเสธการเข้าถึง IP โดยตรงไปยังแอปพลิเคชันที่ใช้งานใน Kubernetes

RO: Interziceți accesul IP direct la o aplicație implementată în Kubernetes

RU: Запретить прямой IP-доступ к приложению, развернутому в Kubernetes

VI: Từ chối quyền truy cập IP trực tiếp vào một ứng dụng được triển khai trong Kubernetes

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.