Document access control

ef7325e6 · Varac · d6f3a040 · ef7325e6 · ef7325e6
Unverified Commit ef7325e6 authored 4 years ago by Varac
--- a/docs/index.rst
+++ b/docs/index.rst
@@ -32,6 +32,7 @@ For more information, go to `the OpenAppStack website`_.
   usage
   troubleshooting
   maintenance
+   security
   upgrading
   comparable_projects
   design

--- a/docs/security.rst
+++ b/docs/security.rst
+=====================
+Security
+=====================
+
+Access control
+==============
+
+By default, the resources of your OAS cluster will be exposed to the whole
+internet (although they are password protected by the single-sign-on system).
+If you like to limit who can access your cluster resources you can configure
+the OAS ingress (`ingress-nginx <https://kubernetes.github.io/ingress-nginx>`__)
+to only accept connections from a certain IP addr/range.
+Add a file in the ``CLUSTER_DIR/group_vars/all/`` directory, i.e. named
+``ingress.yml`` with the following content:
+
+.. code-block:: yaml
+
+  ingress_extra_values:
+    controller:
+      config:
+        # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
+        # comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.
+        whitelist-source-range: 1.2.3.4/24
+
+After this, run the
+`Openappstack installation procedure <installation_instructions.html#step-4-installation>`__
+again.