Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict CIDR ip addresses for a LoadBalancer type service #553

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

asproul
Copy link

@asproul asproul commented Sep 9, 2024

What was changed

Restrict IP addresses for load balancers created for the frontend service by adding the spec.loadBalancerSourceRanges for the LoadBalancer type.

Why?

I am self-hosting temporal on a Google Kubernetes Engine (GKE) cluster running temporal workflows. I have exposed the frontend service as an internal load balancer to my Cloud Run service (which initiates the temporal workflows) but, by default, the firewall rule created by the GKE service sets a source as "0.0.0.0/0". I am required to further restrict the allowed source ip range to specific subnets.

GCP guide about restricting ip addresses based on CIDRs in spec.loadBalancerSourceRanges[]. Additionally, AWS documentation states that spec.loadBalancerSourceRanges[] is used to restrict IP addresses.

Checklist

  1. How was this tested:
cd charts/temporal

helm template render \
-f values.yaml \
--set "server.frontend.service.loadBalancerSourceRanges={1.1.1.1/8,2.2.2.2/8}" ./ \
| grep loadBalancerSourceRanges -A 3 -B 3

output is

    app.kubernetes.io/part-of: temporal
spec:
  type: ClusterIP
  loadBalancerSourceRanges:
    - 1.1.1.1/8
    - 2.2.2.2/8
  ports:
  • Rendered the template locally.
  • Deployed the changes to my development google kubernetes engine cluster.
  • Verified that the firewall rules concerning this frontend service changed the sourceIP from 0.0.0.0/0 to the ip range I specified in the server.frontend.service.loadBalancerSourceRanges from my helm values.yaml file.
  1. Any docs updates needed?
    No

@asproul asproul requested a review from a team as a code owner September 9, 2024 22:05
@CLAassistant
Copy link

CLAassistant commented Sep 9, 2024

CLA assistant check
All committers have signed the CLA.

@robholland
Copy link
Contributor

Could you add an example to the values file of what these entries would look like? Or if you're willing/able, add a test file for the service, like: https://github.com/temporalio/helm-charts/blob/main/charts/temporal/tests/server_deployment_test.yaml for the deployment.

@robholland robholland added the needs revision Team has requested some changes label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs revision Team has requested some changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants