Using a principal for LKE cluster in bucket policy
I want to use a bucket policy to whitelist access from my LKE cluster only, but I can't find which principal should be used for that. Is this possible? I don't like to rely on the aws:SourceIp condition as it might change when my cluster updates/scales.
1 Reply
mtcotton846
Linode Staff
Setting up a bucket policy to whitelist access from your cluster directly may not be the most stable way to run your setup (for the exact reason you mentioned: IPs subject to change).
For incoming traffic you could create a NodeBalancer as a front-end ingress controller, which would have a static IP, and your cluster could communicate with your bucket on an allow list. More on that here:
https://www.linode.com/docs/guides/deploy-nginx-ingress-on-lke/
As far as outbound traffic goes, there is not really (to my knowledge) a way to set up outgoing LKE traffic to come from a single (static) IP, but a workaround using a NAT gateway may work for the time being:
https://www.linode.com/community/questions/24836/nat-gateway-and-vpc
For the above, you would just need to connect the NAT gateway (the compute instance running WireGuard-- because that IP would be static) to your bucket.
Looking forward, I know that Akamai is working on developing a native NAT gateway solution, but no timeline on that feature's release yet, so keep your eyes peeled.
Hope that helps!
-Micah