Skip to main content

Kubernetes Proxy Access Control

The Combine Kubernetes Proxy can be configured to allow or deny requests based on the source IP address (CIDR block) or the IAM Role ARN used to sign the request.

Enabling and Disabling the Kubernetes Proxy

The Kubernetes Proxy can be toggled globally:

Parameter NameValueDescription
combine.endpoints.kubernetes.proxytrue / falseEnable or disable the Combine Kubernetes Proxy globally

Filtering by Source IP (CIDR Block)

You can restrict Kubernetes Proxy access to specific CIDR blocks of source IP addresses:

Parameter NameValueDescription
combine.endpoints.kubernetes.proxy.ipComma-separated CIDR blocksAllow Kubernetes Proxy requests only from these source IP ranges
combine.endpoints.kubernetes.proxy.ip.exceptComma-separated CIDR blocksAllow requests from all source IPs except these CIDR ranges

Filtering by Role ARN

You can restrict Kubernetes Proxy access to requests signed by specific IAM Role ARNs:

Parameter NameValueDescription
combine.endpoints.kubernetes.proxy.roleArnComma-separated Role ARNsAllow Kubernetes Proxy requests only from these Role ARNs
combine.endpoints.kubernetes.proxy.roleArn.exceptComma-separated Role ARNsAllow requests from all Role ARNs except these

Multiple allow conditions (IP and Role ARN) can be combined — a request must satisfy all configured conditions to be proxied.

Setting Configuration Values

All configuration values above are set in the Combine Configuration DynamoDB table (combine-configuration). See Edit Combine Configuration Values for instructions.