diff --git a/docs/administrator.md b/docs/administrator.md index 4257ca442..83594ef1f 100644 --- a/docs/administrator.md +++ b/docs/administrator.md @@ -198,7 +198,9 @@ services to an outer network, one can attach load balancers to them by setting cluster manifest. In the case any of these variables are omitted from the manifest, the operator configmap's settings `enable_master_load_balancer` and `enable_replica_load_balancer` apply. Note that the operator settings affect -all Postgresql services running in a namespace watched by the operator. +all Postgresql services running in all namespaces watched by the operator. + +To limit the range of IP adresses that can reach a load balancer, specify desired ranges in the `allowedSourceRanges` field (applies to both master and replica LBs). To prevent exposing LBs to the entire Internet, this field is set at cluster creation time to `127.0.0.1/32` unless overwritten explicitly. If you want to revoke all IP ranges from an existing cluster, please set the `allowedSourceRanges` field to `127.0.0.1/32` or to the empty sequence `[]`. Setting the field to `null` or omitting entirely may lead to k8s removing this field from the manifest due to [the k8s handling of null fields](https://kubernetes.io/docs/concepts/overview/object-management-kubectl/declarative-config/#how-apply-calculates-differences-and-merges-changes). Then the resultant manifest will not have the necessary change, and the operator will respectively do noting with the existing source ranges. ## Running periodic 'autorepair' scans of Kubernetes objects diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go index 54fb9580b..66ac55388 100644 --- a/pkg/cluster/k8sres.go +++ b/pkg/cluster/k8sres.go @@ -962,16 +962,17 @@ func (c *Cluster) generateService(role PostgresRole, spec *acidv1.PostgresSpec) if c.shouldCreateLoadBalancerForService(role, spec) { - // safe default value: lock load balancer to only local address unless overridden explicitly. - sourceRanges := []string{localHost} - - allowedSourceRanges := spec.AllowedSourceRanges - if len(allowedSourceRanges) >= 0 { - sourceRanges = allowedSourceRanges + // spec.AllowedSourceRanges evaluates to the empty slice of zero length + // when omitted or set to 'null'/empty sequence in the PG manifest + if len(spec.AllowedSourceRanges) > 0 { + serviceSpec.LoadBalancerSourceRanges = spec.AllowedSourceRanges + } else { + // safe default value: lock a load balancer only to the local address unless overridden explicitly + serviceSpec.LoadBalancerSourceRanges = []string{localHost} } + c.logger.Debugf("final load balancer source ranges as seen in a service spec (not necessarily applied): %q", serviceSpec.LoadBalancerSourceRanges) serviceSpec.Type = v1.ServiceTypeLoadBalancer - serviceSpec.LoadBalancerSourceRanges = sourceRanges annotations = map[string]string{ constants.ZalandoDNSNameAnnotation: dnsName,