Use externalTrafficPolicy: Local on the DNS services
Preserves client source IPs so the authoritative/resolver source-IP ACLs actually apply to external clients (Cluster SNATs them to node IPs). - externalTrafficPolicy: Local on bind-authoritative/resolvers/externaldns - bump operator to v0.1.5 (CRD link + image) for the new service field
This commit is contained in:
@@ -18,6 +18,7 @@ spec:
|
||||
- "allow-query { auth-acl-main; 10.42.0.0/16; }"
|
||||
service:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
annotations:
|
||||
purelb.io/service-group: common
|
||||
purelb.io/addresses: 198.18.200.6
|
||||
|
||||
@@ -14,6 +14,7 @@ spec:
|
||||
storageSize: 1Gi
|
||||
service:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
annotations:
|
||||
purelb.io/service-group: common
|
||||
purelb.io/addresses: 198.18.200.8
|
||||
|
||||
@@ -13,6 +13,7 @@ spec:
|
||||
storageSize: 1Gi
|
||||
service:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
annotations:
|
||||
purelb.io/service-group: common
|
||||
purelb.io/addresses: 198.18.200.7
|
||||
|
||||
Reference in New Issue
Block a user