Security

Access control

By default, the resources of your OAS cluster will be exposed to the whole internet (although they are password protected by the single-sign-on system). If you like to limit who can access your cluster resources you can configure the OAS ingress (ingress-nginx) to only accept connections from a certain IP address or range. Add a file in the CLUSTER_DIR/group_vars/all/ directory, i.e. named ingress.yml with the following content:

ingress_extra_values:
  controller:
    config:
      # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
      # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
      whitelist-source-range: 1.2.3.4/24

After this, run the Openappstack installation procedure again.