CODEWITHSUNDEEP
kuberneteswhitelist
akilesh raj
akilesh raj

Reputation: 674

IP whitelisting in google container engine with ingress not working

I am trying to whitelist IPs that can access my application. I created http-balancer by following this tutorial. https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer

After creating the service with NodePort I created an ingress.yaml file that looks like the one below. I have created a global static ip and setup a domain name.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: <global-static-ip>
spec:
  rules:
  - host: <domain_name>
  - http:
      paths:
      - path: /*
        backend:
            serviceName: nginx
            servicePort: 80

This above yaml file works fine and I am able to access the "Welcome to Nginx" page.

But when I add the IPs to be whitelisted it does not seem to work and still allows other IPs that are not whitelisted.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: <global-static-ip>
    ingress.kubernetes.io/whitelist-source-range: "xx.xx.xx.xxx/32"
spec:
  rules:
  - host: <domain_name>
  - http:
      paths:
      - path: /*
        backend:
            serviceName: nginx
            servicePort: 80

Reference: http://container-solutions.com/kubernetes-quick-tip/ https://docs.giantswarm.io/guides/advanced-ingress-configuration/

Upvotes: 2

Views: 1751

Answers (2)

Vincent Praveen
Vincent Praveen

Reputation: 173

I have not worked with Ingress but as per normal nginx rules you need to deny all and then allow the whitelist IPS

          `location / {
                    proxy_pass https://xxx.xx.xx.xx:8080 
                    allow xx.xx.xx.xxx/32; 
                    deny all; 
                     allow xx.xx.xx.xxx/32; 
           }`

Which inturn wont allow your non-Whitelisted IP's.

Upvotes: 1

Bear Su
Bear Su

Reputation: 36

The references you provided use the Nginx-based ingress controller.

Ingress on GKE uses http(s) load balancer. Currently the http(s) load balancer on GCP does not support the firewall rules to allow or deny traffic by IPs.

You can:

Block the source ip in web server or application by yourself.

Or

Try to install nginx-based ingress controller.

Upvotes: 0

Related Questions