security.rst

=====================
Security
=====================

Access control
==============

By default, the applications on your Stackspin cluster will be exposed to the whole
internet (although they are password protected).

If you like to limit who can access your cluster resources you can configure
the Stackspin ingress (`ingress-nginx <https://kubernetes.github.io/ingress-nginx>`__)
to only accept connections from a certain IP address or range.

Follow the :ref:`customizing:Customize Stackspin applications` instructions, but use the following
secret as ``install/overrides/stackspin-nginx-override.yml`` and apply the secret in
the ``stackspin`` namespace instead of ``stackspin-apps``. Replace the source range with the
IP address ranges you want to allow.

.. code-block:: yaml

   ---
   apiVersion: v1
   kind: secret
   metadata:
     name: stackspin-nginx-override
   data:
     values.yaml: |
       controller:
         config:
           # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
           # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
           whitelist-source-range: 1.2.3.4/24