Accessing your Red Hat OpenShift API Satellite link endpoints

By default, your Red Hat OpenShift on IBM Cloud API Satellite link endpoints are protected to accept traffic from only the IBM Cloud control plane. To access them from other sources, you must configure an access control list (ACL) for your endpoint.

You can configure the ACL for your endpoint by following the instructions in creating access control lists by using the console or by running the following CLI command.

ibmcloud sat acl create --name NAME --location LOCATION --endpoint ENDPOINT --subnet SUBNET [--subnet SUBNET ...]

To find the Red Hat OpenShift API endpoint in your Satellite location, run ibmcloud sat endpoints --location LOCATION and look in the output for the endpoint with a name that starts with openshift-api-.

The subnets that your ACL needs to allow depend on where you are trying to access the API server from, for example, where you are trying to run kubectl commands from. The actual source IP that is calling the endpoint might not be what you think it is, especially if your source is coming from a Kubernetes cluster or instance in VPC.

Use one of the following instructions, depending on your environment.

• If you are running in VPC, you can find your source IPs using the following command.

  ibmcloud is vpc VPC
  

  Look for the Cloud Service Endpoint source IP addresses section in the output. For example:

  Cloud Service Endpoint source IP addresses:    Zone         Address
                                                 us-south-1   10.22.13.83
                                                 us-south-2   10.12.158.57
                                                 us-south-3   10.12.164.28
  

  Use the Cloud Service Endpoint source IPs to configure your ACL. For example:

  ibmcloud sat acl create --name myOpenShiftACL --location myLocation --endpoint openshift-api-cqv7rh4w0pf9mjcsacd0 --subnet 10.22.13.83 --subnet 10.12.158.57 --subnet 10.12.164.28
  

• If you are using a classic VM, run the following command to find the IP of your virtual service instance.

  ibmcloud sl vs list
  

  Example output:

  id          hostname      domain                          cpu   memory   public_ip        private_ip       datacenter   action
  146349551   myhost        mydomain.ibmcloud.private       1     2048     169.48.27.170    10.166.165.5     tor01
  

  Use the private_ip of your virtual service instance to configure your ACL. For example:

  ibmcloud sat acl create --name myOpenShiftACL --location myLocation --endpoint openshift-api-cqv7rh4w0pf9mjcsacd0 --subnet 10.166.165.5
  

• In all other cases, you can find the Red Hat OpenShift API Satellite link endpoint by looking in the IBM Cloud Log Analysis logs for your Satellite location. To open these logs, click Open Dashboard under Logging for Link. You can set up a filter in the monitoring instance to filter out the value you need. For example, search for flowlog: rejected by in the log and you will see a rejected client IP. Add an ACL with a subnet matching that IP for your endpoint. This IP is logged when you use oc commands via link endpoint on the Red Hat OpenShift API. For more information, see Logging for Satellite.