You can configure a Kubernetes service of type LoadBalancer to allow load balancer traffic based on the source IP address of the incoming request, and to only allow local pod traffic.
LoadBalancerSourceRangesfeatures with a Kubernetes service of type LoadBalancer on a Tanzu Kubernetes cluster that meets the following minimum requirements:
|Component||Minimum Requirement||More Information|
|vCenter Server and ESXi||vSphere 7.0 Update 2||See the Release Notes.|
||See Update the Supervisor Cluster by Performing a vSphere Namespaces Update.|
NSX-T Data Center v3.1
|See Networking for vSphere with Tanzu.|
|Tanzu Kubernetes Release||One of the latest Tanzu Kubernetes releases.||See Verify Tanzu Kubernetes Cluster Compatibility for Update.|
About Support for Local Traffic Policy and Source IP Ranges
If you are using NSX-T Data Center networking, you can configure a Kubernetes Service of Type LoadBalancer to allow external traffic policy and load balancer source IP ranges. The
externalTrafficPolicy feature lets you restrict pod traffic to the local node. The
LoadBalancerSourceRange feature lets you specify source IP addresses to allow or block.
Example Service for Local Traffic Only
The following load balancer service specification configures the load balancer instance with the
externalTrafficPolicy parameter set to
Local. The result is that pod traffic is routed to only those nodes that have local pods running.
apiVersion: v1 kind: Service metadata: name: local-only spec: selector: app: testApp ports: - protocol: TCP port: 80 targetPort: 80 externalTrafficPolicy: Local type: LoadBalancer
The feature works using a NSX-T health check monitor. From an NSX-T administration perspective, it is important to be aware of the internal operations of this feature.
An NSX-T health check monitor watches the Kubernetes Health Check NodePort allocated by kube-proxy for the server pool that corresponds to the Service of Type LoadBalancer. The NSX-T health check monitor sends HTTP GET requests to the target Health Check NodePort. The kube-proxy on a node returns the HTTP status code 500 when there are no local pods running. Nodes that do not have local pods will be marked DOWN by NSX-T and appear as such in NSX Manager. Traffic will be routed to only those nodes that have local pods running.
Example Service to Allow Traffic Based on Source IP Ranges
The following load balancer service specification configures the
loadBalancerSourceRanges parameter with an array of allowed source IP CIDRs. Only inbound requests emanating from these source IP ranges will be allowed; all other inbound traffic will be dropped.
apiVersion: v1 kind: Service metadata: name: allow-based-on-source-IPs spec: selector: app: testApp ports: - protocol: TCP port: 80 targetPort: 80 loadBalancerSourceRanges: - 10.0.0.0/24 - 10.1.0.0/24 type: LoadBalancer