How to configure access control for your cluster

The access control feature of SKE enables an additional layer of security for your Kubernetes clusters by limiting access to the Kubernetes API. In this article, we’ll show you how to enable and configure access control.

Configuring access control via SKE API

The access control feature is currently available via the SKE API as an extension. Refer to the following example of a cluster object. We omitted some fields for clarity:

{
  "name": "example-cluster",
  "kubernetes": {...},
  "nodepools": [...],
  "maintenance": {...},
  "extensions": {
    "acl": {
      "enabled": true,
      "allowedCidrs": [
        "10.0.0.0/16",
        "1.2.3.4/32"
      ]
    }
  }
}

This cluster object specifies and enables the acl extension. ACL stands for access control list. Note that the field enabled has to be set to true for the extension to have an effect.

To enable access control, send a PUT request to the SKE API that contains a cluster object which has the ACL extension enabled and configured. Please read on to learn how to determine which entries you need to add for allowedCidrs.

Specifying allowed CIDRs

Take a look at the field allowedCidrs. CIDR is an abbreviation for Classless Inter Domain Routing, which - among other things - describes the notation for specifying IP ranges used here. Every entry in this list specifies an IP range, consisting of an IP (for example: 10.0.0.0) and a suffix (for example: /16). The suffix denotes the size of the range. All requests that origin from an IP within one of the specified ranges are allowed to connect to the Kubernetes API server. In the above example, this means:

• 10.0.0.0/16 -> All IPs in the range from 10.0.0.0 to 10.0.255.255 are allowed.
• 1.2.3.4/32 -> The single IP 1.2.3.4 is allowed.

As you can see, with a suffix of /32 you can allow single IP addresses, which allows for the most fine-grained configuration. If you’re unsure about the correct CIDR notation for the IP range you have in mind, consider using an online converter (for example, ipaddressguide.com/cidr).

Please be careful when defining the allowed CIDR ranges! Make sure all people and systems inteded to interoperate with the Kubernetes cluster can still do so.

Refer to the API documentation for more information on how to interact with the SKE API.

Further information

• How to use the SKE API to manage your clusters