Reputation: 83
Whitelisting an IP address in nginx ingress controller
I have a service behind an nginx ingress controller. I want to restrict access to it based on IP. I added the annotation to the ingress manifest: nginx.ingress.kubernetes.io/whitelist-source-range: "my_ip/32"
The nginx ingress controller's service's externalTrafficPolicy is set to Local by default, but the issue is that the nginx ingress controller is denying me even from my whitelisted IP.
When I hit the server I get this in the nginx controller log: access forbidden by rule, client: 127.0.0.1, server: my-site.datasite.com
I'm using GCP GKE.
Any thoughts?
Upvotes: 0
Views: 1628
Answers (1)
Reputation: 3772
The annotation nginx.ingress.kubernetes.io/whitelist-source-range: "IP" will override some of your config. As mentioned in Nginx docs: “Adding an annotation to an Ingress rule overrides any global restriction”.
Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module.
As in Nginx config, each path is saved as
location / {
…
}
location /api {
…
}
you can add these restrictions there. Below example:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
Upvotes: 0
Related Questions
- Aks : whitelist external Ips
- NGINX ingress controller ip restriction for certain path
- Kubernetes Ingress Whitelist IP for path
- Restrict access to some Kubernetes services with a global IP whitelist
- How to whitelist an nginx ingress custom port
- How to allow multiple IPs only on ingress
- Ingress controller does not show external IP
- Kubernetes Ingress Whitelist IP for host
- Kubernetes Ingress whitelist-source-range Allow all IPs
- IP whitelisting in google container engine with ingress not working