Skip to main content
Configure Traffic Policies on Kubernetes-bound endpoints to allow or deny connections based on the identity of the originating pod. When a connection arrives on a Kubernetes-bound endpoint, ngrok makes pod metadata available as Traffic Policy variables under conn.k8s.pod.*. This lets you write policies that make access control decisions based on which Kubernetes workload is initiating the connection, not just IP address or network location. Use cases include:
  • Restricting a Kubernetes-bound endpoint so that only pods in a specific namespace can connect.
  • Building allowlists of approved pod names for sensitive internal services.
  • Enforcing tenant isolation in multi-tenant clusters by matching on namespace or pod annotations.

Requirements

  • ngrok Kubernetes Operator version 0.22.1 or later. See Updates & Upgrades for instructions on upgrading.

Available pod identity variables

The following variables are available in Traffic Policy expressions on connections to Kubernetes-bound endpoints. These variables are only populated for connections to endpoints with a kubernetes binding. They are not available on public or internal endpoints.

Annotations

Only annotations prefixed with k8s.ngrok.com/ are included in conn.k8s.pod.metadata.annotations. Annotations without this prefix are not surfaced. The combined size of all included annotations is subject to a 1024-byte cumulative limit. If this limit is exceeded, conn.k8s.pod.metadata.error_code will be set to ERR_NGROK_28000 and a truncated annotation map being returned. To use an annotation in a Traffic Policy expression, add the k8s.ngrok.com/ prefix to it in your pod spec:
You can then reference the annotation in a Traffic Policy expression:

Handling errors

Pod identity is resolved at connection time. In some circumstances, identity information may be unavailable; for example, immediately after a pod first starts, or if the originating pod cannot be uniquely identified due to network configuration. When this happens, the conn.k8s.pod.* metadata variables will not be set, and the error variables will be populated instead. Because pod identity may not always be available, your Traffic Policy should explicitly handle the case where identity is missing. The two common approaches are fail-closed (deny the connection if identity is unavailable) and fail-open (allow the connection to proceed). Which you choose depends on your security requirements. Deny the connection if pod identity cannot be resolved.

Fail-open

Allow the connection to proceed even if pod identity is unavailable, but still enforce the policy when identity is present.

Known limitations

  • Pods using hostNetwork: true share the node’s IP address and cannot be uniquely identified. Pod identity is not supported for these pods.
  • Some CNI configurations may prevent reliable pod identity resolution. If you observe unexpected ERR_NGROK_28001 errors, verify that your CNI preserves pod source IPs.
  • Pod identity is evaluated once when the connection is established. If a pod’s metadata changes after connection, the policy continues to use the identity that was captured at connect time.

Pod identity examples

The following examples demonstrate common pod identity access control patterns.

Deny connections from outside a namespace

Only allow connections originating from pods in the payments namespace.

Allow only specific pods by name

Allowlist two specific pods by name and deny all others.

Enforce access using a pod annotation

Only allow connections from pods that have the k8s.ngrok.com/environment: production annotation.

Multi-tenant isolation

Deny any connection whose pod namespace does not match the endpoint’s own namespace. This is a common pattern for multi-tenant clusters where each tenant runs in a dedicated namespace.