Troubleshooting
Problem
In IBM API Connect, you can configure an access control based on client IP addresses -using a Kubernetes ingress-nginx-ingress controller. Using the ingress controller allowlisting, you can also restrict access for different endpoints.
For example: cloud-admin-ui, api-manager-ui, platform-api, consumer-api
NOTE: This article refers to a third-party software that IBM does not control. As such, the software might change and this information can become outdated. The steps described here, have been outlined for a cloud-admin-ui access. However, similar steps can be applied for other endpoints as well.
Client IP setup:
For an OVA installation,"use-proxy-protocol" parameter is set "true" (as default). It is recommended, to check and adjust this parameter for other deployments.
This value can be changed using the following steps:
- Edit "ingress-nginx-ingress-controller" ConfigMap and search for "use-proxy-protocol".
kubectl edit ConfigMap ingress-nginx-ingress-controller -n <name-space> - If it is not present, you can add the following line in the Nginx ingress controller to use a proxy protocol for incoming connections:
use-proxy-protocol: "true"
Configuring this, will allow the ingress controller to see a client IP address. - If an external load balancer is involved, you will need to enable the Proxy Protocol in there as well.
For example: you can try setting "*", under service - annotations: service.beta.kubernetes.io/aws-load-balancer-proxy-protocol for an AWS Elastic load balancer.
This change will enable the load balancer to send the client ip in a separate Proxy Protocol header.
- Once the proxy protocol setup is done, you are able to see an actual client IP address (instead of 127.0.0.1) in the ingress-nginx-ingress-controller-xxxx logs.
Configure an allowlist range:
You can configure a range of allowlist IP addresses to allow access for a specific endpoint. After applying this, connections from an IP outside the range is rejected. In order to configure an allowlist range, please do the following:
- Create an extra value file (.yaml) in the apicup Project directory (used for the installation). If the file is created outside the project directory, you will need to use a full path while setting this up.
- In the following extra-values file, we are allowing access to a client IP within the CIDR block 10.100.10.0/24 and rejecting the rest.
Sample extra-values file:
global:
ingress:
# cloud-admin-ui endpoint
cm:
annotations:
ingress.kubernetes.io/whitlist-source-range: 10.100.10.0/24
Apply the extra-values file:
- Set the extra-values for the current Management subsystem using the following command:
apicup subsys set <subsystem_name> extra-values-file <name_of_extra_values_file .yaml or full path of the extra-values-file.yaml>
- You can validate it afterward:
apicup subsys get
<name-of-the-management-subsystem> --validate
- Update the management subsystem for the changes to take effect:
apicup subsys install <name-of-the-management-subsystem>
Test & confirm:
Access the Cloud manager UI from a client IP address which is not in the current allowlist range. The expected behavior is to receive an error message in the ingress-nginx-ingress-controller-xxx logs and getting denied for the access. The logs should contain "access forbidden by rule, client: <client_ip>", every time the rule is being applied.
The same approach can be applied for other endpoints, using the annotations in the extra-value file.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 August 2021
UID
ibm16237840