Deny direct IP access to an application deployed in Kubernetes
I have a NodeJS
application with express.js
as a backend framework deployed on cloud using Kubernetes. The K8s runs on top of an Ubuntu template. The application deployed in Kubernetes is of service
type NodePort
. This means the app uses the external IP address of the K8s nodes. In my case, it's currently using an external IP address of one of the master nodes.
I then assigned a DNS hostname for the application using Cloudflare Tunnel (aka Argo Tunnel). It works perfectly fine as I can access the application from outside the K8s cluster with the DNS hostname that was resolved. However, I can also access the application directly from a.b.c.d: 31130
.
Here is a snippet from config.yml
file used in creating Cloudflare tunnel:
tunnel: ***********8ab68bscjbi9cddhujhdhbh
credentials-file: /home/sebastian/.cloudflared/***********8ab68bscjbi9cddhujhdhbh.json
ingress:
- hostname: myapp.test.io
service: http://a.b.c.d:31130
- service: http_status:404
My concern here is, how to deny or block direct IP access to the application as I do not wish to reveal the IP address and make life hard for myself from the security standpoint?
Does this have to be configured from within Cloudflare or K8s cluster is also my doubt. Any feedbacks and suggestion would be appreciated.
From kubernetes perspective, Ingress-controller it's a standard way to expose HTTP backend over TLS connection from cluster to client.
You can publish the application using TLS certificates. When creating TLS certificate you can specify the alternative names which you would allow for your application. Other names or IP address will not be allowed to access the website.
Here is an example of alternative names. We can remove the IP addresses if we don't wish to allow access using IP.
X509v3 Subject Alternative Name:
DNS:kmaster, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:172.16.16.100
Ingress TLS Examples https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/tls-termination
Alternative Names https://kubernetes.io/docs/tasks/administer-cluster/certificates/#openssl