Enabling secured mode deployment for Multicloud Object Gateway

You can specify a range of IP addresses that should be allowed to reach the Multicloud Object Gateway (MCG) load balancer services to enable secure mode deployment. This helps to control the IP addresses that can access the MCG services.

Before you begin

  • A running Fusion Data Foundation cluster.

  • In case of a bare metal deployment, ensure that the load balancer controller supports setting the loadBalancerSourceRanges attribute in the Kubernetes services.

Procedure

Edit the NooBaa custom resource (CR) to specify the range of IP addresses that can access the MCG services after deploying Fusion Data Foundation.
oc edit noobaa -n openshift-storage noobaa
noobaa

The NooBaa CR type that controls the NooBaa system deployment.

noobaa

The name of the NooBaa CR.

For example:
...
spec:
  ...
  loadBalancerSourceSubnets:
    s3: ["10.0.0.0/16", "192.168.10.0/32"]
    sts:
      - "10.0.0.0/16"
      - "192.168.10.0/32"
...
loadBalancerSourceSubnets

A new field that can be added under spec in the NooBaa CR to specify the IP addresses that should have access to the NooBaa services.

In this example, all the IP addresses that are in the subnet 10.0.0.0/16 or 192.168.10.0/32 will be able to access MCG S3 and security token service (STS) while the other IP addresses are not allowed to access.

What to do next

To verify if the specified IP addresses are set, from the OpenShift Web Console, run the following command and check if the output matches with the IP addresses provided to MCG:
oc get svc -n openshift-storage <s3 | sts> -o=go-template='{{ .spec.loadBalancerSourceRanges }}'