Restrict access using source IP restrictions

Kosmos allows you to restrict access to Fleet or DevSpace resources based on the user’s source IP address. This helps improve security by limiting access to trusted networks only.

Each Fleet and DevSpace is backed by a Kubernetes namespace. Source IP restrictions apply to all namespaced resources within these backing namespaces.

Examples of affected resources include:

  • FleetRoles
  • DevSpaceRoles
  • FleetTeams
  • DevSpaceTeams

How source IP restrictions work

Source IP restrictions are defined using the SourceIPRestriction resource.

You can create one SourceIPRestriction resource per Fleet or DevSpace namespace. This resource contains a list of allowed IP addresses or CIDR blocks.

When a request is made, Kosmos evaluates the client IP (from the request headers) and allows or denies access accordingly.

Create a source IP restriction

To define a source IP restriction, create a SourceIPRestriction resource in the backing namespace of your Fleet or DevSpace.

Example 

apiVersion: storage.kosmos.spcplatform.com/v2alpha1
kind: SourceIPRestriction
metadata:
  name: sample-allowlist
  namespace: fleet-or-devspace-namespace
spec:
  displayName: allowlist
  description: Allow list for a Fleet or DevSpace
  entries:
    - type: SingleIP
      value: 172.77.1.4
    - type: IPBlock
      value: 172.17.0.0/16

Configuration details

Resource limits

  • Only one SourceIPRestriction resource is allowed per namespace
  • This limit is enforced for performance reasons
  • You can include multiple entries within a single resource

Supported entry types

  • SingleIP – A single IPv4 address
  • IPBlock – A CIDR block (e.g., 172.17.0.0/16)

CIDR restrictions

  • Maximum allowed prefix length is /24

How client IP is determined

  • Kosmos uses the X-Forwarded-For HTTP header provided by the ingress
  • If a client has multiple IP addresses, not all may be included in the header
  • Only the forwarded IP information is used for access evaluation

Note: Users should carefully configure restrictions to avoid accidental lockout

Managing Source IP Restrictions

You can manage SourceIPRestriction resources using the following tools:

UI

  • Each Fleet and DevSpace includes a Source IP Restrictions tab

CLI

Available commands:

  • create
  • list
  • get
  • update
  • delete

Terraform Provider

Fully supported for managing SourceIPRestriction resources

Edit this page on GitHub