Every Kubernetes cluster has a control plane containing the core components responsible for cluster orchestration. To protect against unwanted changes to these control plane components, it’s important to take proper steps to restrict access. Akamai has updated LKE to include support for control plane access control lists (ACLs), available on all clusters at no additional charge. Using control plane ACLs, you can block all traffic to these core components by default and allow only the IP addresses that will be used by your team. This prevents unintended or malicious traffic from reaching these critical systems.

A control plane ACL is specific to each cluster. It is currently not possible to cascade a single ACL across multiple clusters. If you wish to utilize similar ACLs across your LKE deployments, you must manually define the ACL settings for each cluster.

Configuration Options

Control plane ACLs offer simplified configuration options compared to other firewall solutions. You can adjust the activation state (enabled or disabled), add or remove IP addresses, and view or adjust the revision ID to track changes.

• Activation Status: This defines if the ACL is enabled or disabled. When enabled, the default policy is to DENY incoming traffic unless it originates from one of the allowed IP addresses.
• Addresses: Addresses consist of a list of IPv4 and IPv6 addresses and ranges (in CIDR format). When the ACL is enabled on the cluster, all traffic to the control plane is blocked unless it originates from one of these IP addresses or ranges.
• Revision ID: This is a unique string for identifying each revision to the cluster's ACL policy. It can be used by clients to track events related to ACL update requests and enforcement. While this defaults to a randomly generated string, you can edit it if you prefer to specify your own string to use for tracking a particular revision.

Enable the control plane ACL during cluster creation

To enable the ACL when creating a cluster, make sure the Enable Control Plane ACL toggle is set to Enabled (this is the default setting). Then, add any IP addresses you or your team plan on using to connect to the cluster. You can always adjust this setting or add / remove IP addresses after the cluster has been created. Review the Create a Cluster guide for full instructions.

View, enable, and change ACL settings

Within the Cloud Manager, you can determine the status of the control plane ACL by looking at the Control Plane ACL field within a cluster's summary page.

• A value of Enable means the ACL is not enabled but can be enabled by clicking the Enable link.
• A value of Enabled (x IP addresses) , where x the number of IP addresses configured on the ACL, means that the ACL is enabled. Click the link to change the ACL status or modify the IP addresses.

If you enable the control plane ACL on an existing cluster, it may take up to 20 minutes for the ACL rules to take effect.