Automating CDN Trust: Kubernetes Solution for Dynamic Bunny CDN IP Management
Share this article
For applications running behind content delivery networks, accurately identifying client IP addresses remains a persistent infrastructure challenge. Reverse proxies obscure original client IPs, forcing developers to maintain constantly changing allowlists of CDN edge servers. This problem intensifies with services like Bunny CDN, whose edge network IPs frequently change across hundreds of global points of presence.
Enter the Kubernetes Bunny CDN ACL Manager β an open-source solution that automates IP management through Kubernetes-native components. The tool solves the trust proxy problem by regularly fetching Bunny's latest edge IPs and storing them in a ConfigMap, which applications can consume as environment variables or mounted files.
How It Works: Automation Meets Kubernetes Native Patterns
The system operates as a Kubernetes CronJob that executes daily at 2 AM UTC, querying Bunny's API for the latest IPv4 and IPv6 addresses. These addresses populate a bunny-trusted-ips ConfigMap, which becomes the single source of truth for downstream applications:
# Sample application integration via environment variable
env:
- name: TRUSTED_PROXY_IPS
valueFrom:
configMapKeyRef:
name: bunny-trusted-ips
key: TRUSTED_PROXY_IP
Key technical features include:
- Zero-touch maintenance: Daily updates eliminate manual IP list management
- Dual-stack support: Native handling of both IPv4 and IPv6 addresses
- Security by design: Non-root containers, read-only filesystems, and resource limits
- RBAC enforcement: Namespace-scoped permissions restrict access to the ConfigMap
Real-World Integration: Beyond Theory
The solution shines in complex deployments like Mastodon instances, which require accurate client IPs for security and moderation. The repository includes turnkey integration for Mastodon's Helm chart:
helm install mastodon mastodon/mastodon \
--namespace mastodon \
--values examples/mastodon-values.yaml
This automatically configures Mastodon's TRUSTED_PROXY_IP setting, demonstrating how the solution solves concrete problems for real applications. Additional examples show integration with NGINX and custom applications.
Security First Architecture
Security considerations permeate the design:
π Non-root containers (user 65534)
π Read-only filesystems
π Resource limits to prevent resource exhaustion
π Minimal RBAC permissions
These measures ensure the updater follows Kubernetes security best practices while handling critical network configuration data. The included Semgrep CI pipeline provides additional code scanning assurance.
Operational Simplicity
Monitoring is straightforward using Kubernetes native tools:
kubectl logs -l job-name=bunny-ip-updater --tail=50
kubectl get configmap bunny-trusted-ips -o jsonpath='{.data.TRUSTED_PROXY_IP}' \
| tr ',' '
' | wc -l
The included monitor.sh script offers advanced comparison between stored IPs and live API data, providing operational confidence.
Why This Matters
Dynamic CDN IP management represents a microcosm of cloud-native infrastructure challenges: ephemeral resources, security requirements, and the need for automation. This solution exemplifies how Kubernetes primitives β CronJobs, ConfigMaps, and RBAC β can compose elegant solutions to operational headaches. By open-sourcing under an MIT license, the project invites community collaboration to extend its capabilities to other CDNs and use cases.
For teams running behind Bunny CDN, this tool eliminates a security blind spot while demonstrating how Kubernetes-native approaches can solve infrastructure automation challenges that previously required custom scripting and manual intervention.
Source: GitHub Repository