Restrict API server access by IP address

The Kubernetes API server is a highly privileged system and should be secured. You should restrict access to the API server by configuring firewall rules that only allow traffic from trusted sources, such as:

• Your corporate VPN exit IP addresses.
• Your office network egress IP addresses.
• CI/CD runners that need to deploy to the cluster (for example GitLab Runners or GitHub Actions self-hosted runners).
• A bastion host or jump server used by administrators.
• Other trusted infrastructure, such as monitoring or backup services running outside the cluster.

When attempting to access a Kubernetes API server that has restricted access by IP enabled, traffic not originating from a listed IP will be denied access.

Restricting access by IP is a highly recommended security feature and is available for any cluster hosted by Avisi Cloud.

Configuring IP restrictions

Open the cluster, navigate to the Networking tab and select Firewalling. Under IP Restrictions you can configure the CIDR ranges that are allowed to reach the Kubernetes API server.

For each entry, fill in an IPv4 CIDR address block and a name that helps you identify the source (for example VPN or Office). The name is required.

Press + Add whitelist IP address to add an additional entry, and press Save to apply your changes. The configuration for the API server is updated in the background and may take a few minutes to become active.

Notes

• Anyone attempting to access a restricted API server from a different IP range will receive an access denied.
• Traffic coming from your cluster is allowed even if its CIDR range is not configured. Workloads inside the cluster can keep reaching the API server through the default kubernetes.default.svc service.