Skip to main content

IPPolicy custom resource

apiVersion: ingress.k8s.ngrok.com/v1alpha1

kind: IPPolicy

IP Policies define rules that allow or deny traffic based on the source IP of connections to your ngrok endpoints. These policies can be attached to endpoints via Traffic Policy configurations to control access based on IP addresses and CIDR ranges. IP Policies consist of one or more rules, where each rule specifies:
  • An action (allow or deny)
  • A CIDR range to match against
  • An optional description

IPPolicy structure and types

The following outlines the high level structure and typings of an IPPolicy

IPPolicy fields

The following sections outline each field of the IPPolicy custom resource, whether they are required, what their default values are (if applicable), and a description of their purpose/constraints.

spec

spec defines the desired state of the IPPolicy Type: Object Required: yes Default: none Fields:

spec.description

Human-readable description of this IP Policy that can be used to help identify/describe it. Type: string Required: no Default: ""

spec.metadata

String of arbitrary data associated with the object in the ngrok API/Dashboard. Type: string Required: no Default: "{"owned-by":"kubernetes-ingress-controller"}"

spec.rules

List of rules that define which IP addresses or CIDR ranges should be allowed or denied access. Each rule is evaluated independently, and the most specific matching rule applies. Type: []Object Required: yes Default: none Fields:

spec.rules[].action

Specifies whether to allow or deny traffic from the IP addresses matching this rule’s CIDR range. Type: string (enum) Required: yes Default: none Allowed Values: "allow", "deny"

spec.rules[].cidr

IP address or CIDR range to match against the source IP of incoming connections. This must be a valid IPv4 or IPv6 CIDR notation. Type: string Required: yes Default: none Examples:
  • Single IP: 192.168.1.1/32
  • Subnet: 10.0.0.0/24
  • IPv6: 2001:db8::/32

spec.rules[].description

Human-readable description of this rule that can be used to help identify/describe it. Type: string Required: no Default: ""

spec.rules[].metadata

String of arbitrary data associated with this rule in the ngrok API/Dashboard. Type: string Required: no Default: none

Status fields

The IPPolicy resource includes status information that reflects the current state of the policy in the ngrok system.

status.id

The ngrok API ID for this IP Policy resource. Type: string Example: ipp_34iZT0muBP3kpcAXxGjM4uFlgDK

status.rules

Array of rules with their ngrok API IDs. Each rule status includes the rule ID, CIDR, and action that was configured. Type: []Object Example:

status.conditions

Standard Kubernetes conditions that indicate the state of the IP Policy. Type: []Condition Each condition includes:
  • type - The condition type
  • status - True, False, or Unknown
  • reason - A programmatic identifier for the condition state
  • message - A human-readable description
  • lastTransitionTime - When the condition last changed
  • observedGeneration - The resource generation this condition applies to

Condition types

Ready
Indicates whether the IP Policy is fully operational and ready to use. Status Values:
  • True - IP Policy is active and ready
  • False - IP Policy is not ready (see reason for details)
Reasons: Example:
IPPolicyCreated
Indicates whether the IP Policy was successfully created in the ngrok API. Status Values:
  • True - IP Policy was successfully created
  • False - Failed to create IP Policy
Reasons: Example:
RulesConfigured
Indicates whether all rules have been successfully configured for the IP Policy. Status Values:
  • True - All rules are configured
  • False - One or more rules failed to configure
Reasons: Example:

Status examples

Successfully created IP Policy

IP Policy with Invalid CIDR

Checking IP Policy status

You can check the status of an IP Policy using kubectl:

Example IPPolicies

Allow specific IP address

The following IPPolicy allows traffic only from a specific IP address:

Allow subnet with multiple rules

The following IPPolicy allows traffic from a corporate network subnet:

Deny specific IP addresses

The following IPPolicy denies traffic from specific IP addresses: