IBM Support

ACCESS CONTROL FOR APIC ENDPOINTS USING NGINX CONTROLLER

Troubleshooting


Problem

In IBM API Connect, you can configure an access control based on client IP addresses -using a Kubernetes ingress-nginx-ingress controller. Using the ingress controller allowlisting, you can also restrict access for different endpoints.

For example: cloud-admin-ui, api-manager-ui, platform-api, consumer-api

NOTE: This article refers to a third-party software that IBM does not control. As such, the software might change and this information can become outdated. The steps described here, have been outlined for a cloud-admin-ui access. However, similar steps can be applied for other endpoints as well.

Client IP setup: 

For an OVA installation,"use-proxy-protocol" parameter is set "true" (as default). It is recommended, to check and adjust this parameter for other deployments.

This value can be changed using the following steps:

  • Edit "ingress-nginx-ingress-controller" ConfigMap and search for "use-proxy-protocol". 
    kubectl edit ConfigMap ingress-nginx-ingress-controller -n <name-space>
  • If it is not present, you can add the following line in the Nginx ingress controller to use a proxy protocol for incoming connections: 
    use-proxy-protocol: "true"
    Configuring this, will allow the ingress controller to see a client IP address.
  • If an external load balancer is involved, you will need to enable the Proxy Protocol in there as well. 

For example: you can try setting "*", under service - annotations: service.beta.kubernetes.io/aws-load-balancer-proxy-protocofor an AWS Elastic load balancer. 
This change will enable 
the load balancer to send the client ip in a separate Proxy Protocol header.

  • Once the proxy protocol setup is done, you are able to see an actual client IP address (instead of 127.0.0.1) in the ingress-nginx-ingress-controller-xxxx logs.

Configure an allowlist range:

You can configure a range of allowlist IP addresses to allow access for a specific endpoint. After applying this, connections from an IP outside the range is rejected.  In order to configure an allowlist range, please do the following:

  • Create an extra value file (.yaml) in the apicup Project directory (used for the installation). If the file is created outside the project directory, you will need to use a full path while setting this up.
  • In the following extra-values file, we are allowing access to a client IP within the CIDR block 10.100.10.0/24 and rejecting the rest.

Sample extra-values file:

global:

 ingress:

 # cloud-admin-ui endpoint

     cm:

      annotations:

ingress.kubernetes.io/whitlist-source-range: 10.100.10.0/24 

Apply the extra-values file:

  • Set the extra-values for the current Management subsystem using the following command:
    apicup subsys set <subsystem_name> extra-values-file <name_of_extra_values_file .yaml or full path of the extra-values-file.yaml>
  • You can validate it afterward:
    apicup subsys get <name-of-the-management-subsystem> --validate
  • Update the management subsystem for the changes to take effect:
    apicup subsys install <name-of-the-management-subsystem>

Test & confirm:

Access the Cloud manager UI from a client IP address which is not in the current allowlist range. The expected behavior is to receive an error message in the ingress-nginx-ingress-controller-xxx logs and getting denied for the access. The logs should contain "access forbidden by rule, client: <client_ip>", every time the rule is being applied.

The same approach can be applied for other endpoints, using the annotations in the extra-value file.

Document Location

Worldwide


[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8m50000000L0rvAAC","label":"API Connect"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.0;2018.4.1.0","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

More support for:
IBM API Connect

Component:
API Connect

Software version:
10.0.0, 2018.4.1.0

Document number:
6237840

Modified date:
12 August 2021

UID

ibm16237840

Manage My Notification Subscriptions