I'm running services on Kubernetes, and I need to dynamically update the ACLs for an external service based on the node IPs in my cluster. What's the best way to retrieve these node IPs, and is creating an operator a suitable solution for managing this task?
1 Answer
Managing IP filtering can be tricky. If you're concerned about tightening security without just opening a whole CIDR range, the tricky part is keeping the ACL updated as nodes scale up and down. Instead of maintaining each IP address manually, you might want to consider using a proxy in your cluster to route traffic. This way, you can apply mTLS for secure communication, which allows you to handle access without dealing with the complexity of changing node IPs directly.
I had something similar in mind too, but I'm stuck because we use the Calico CNI plugin that doesn't support egress gateways. Right now, I've just allowed a CIDR range and used basic authentication. Not sure if mTLS will work with my external service either.