Enabling secured mode deployment for Multicloud Object Gateway
You can specify a range of IP addresses that should be allowed to reach the Multicloud Object Gateway (MCG) load balancer services to enable secure mode deployment. This helps to control the IP addresses that can access the MCG services.
Before you begin
-
A running Fusion Data Foundation cluster.
-
In case of a bare metal deployment, ensure that the load balancer controller supports setting the loadBalancerSourceRanges attribute in the Kubernetes services.
Procedure
oc edit noobaa -n openshift-storage noobaa
- noobaa
-
The NooBaa CR type that controls the NooBaa system deployment.
- noobaa
-
The name of the NooBaa CR.
...
spec:
...
loadBalancerSourceSubnets:
s3: ["10.0.0.0/16", "192.168.10.0/32"]
sts:
- "10.0.0.0/16"
- "192.168.10.0/32"
...
- loadBalancerSourceSubnets
-
A new field that can be added under
spec
in the NooBaa CR to specify the IP addresses that should have access to the NooBaa services.In this example, all the IP addresses that are in the subnet 10.0.0.0/16 or 192.168.10.0/32 will be able to access MCG S3 and security token service (STS) while the other IP addresses are not allowed to access.
What to do next
oc get svc -n openshift-storage <s3 | sts> -o=go-template='{{ .spec.loadBalancerSourceRanges }}'