Security

Access control

By default, the applications on your OAS cluster will be exposed to the whole internet (although they are password protected).

If you like to limit who can access your cluster resources you can configure the OAS ingress (ingress-nginx) to only accept connections from a certain IP address or range.

Follow the Customize OAS applications instructions, but use the following secret as install/overrides/oas-nginx-override.yml and apply the secret in the oas namespace instead of oas-apps. Replace the source range with the IP address ranges you want to allow.

---
apiVersion: v1
kind: secret
metadata:
  name: oas-nginx-override
data:
  values.yaml: |
    controller:
      config:
        # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
        # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
        whitelist-source-range: 1.2.3.4/24