Cloud native, Docker, Kubernetes, Microservices, Miscellaneous

Kubernetes Quick Tip: Whitelisting Source IP with Ingress in Kubernetes

If you are using Ingress on your Kubernetes cluster it is possible to restrict access to your application based on dedicated IP addresses. One possible use case would be that you have a development setup and don't want to make all the fancy new features available to everyone, especially competitors. In such cases, IP whitelisting to restrict access can be used .This can be done with specifying the allowed client IP source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation. The value is a comma separated list of CIDR block, e.g. 10.0.0.0/24,1.1.1.1/32.

 

If you want to set a default global set of IPs this needs to be set in the config of the ingress-controller. In the example below we use the NGINX ingress-controller and could set that default value in the config-map used for the ingress-controller. The global value can be overwritten using annotation in the Ingress rule. Please note that not all ingress-controllers support whitelisting, please check the documentation of the ingress-controller you're using.

The configuration:

 
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: whitelist
  annotations:
    ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24"
spec:
  rules:
  - host: whitelist.test.net
  http:
    paths:
    - path: /
    backend:
      serviceName: webserver
      servicePort: 80
	

Testing with the annotation set:

  
curl -v -H "Host: whitelist.test.net" /graph
(out)* Trying ...
(out)* TCP_NODELAY set
(out)* Connected to  () port 80 (#0)
(out)> GET /graph HTTP/1.1
(out)> Host: whitelist.test.net
(out)> User-Agent: curl/7.51.0
(out)> Accept: */*
(out)> 
(out)< HTTP/1.1 403 Forbidden
(out)< Server: nginx/1.11.3
(out)< Date: Tue, 07 Feb 2017 09:46:51 GMT
(out)< Content-Type: text/html
(out)< Content-Length: 169
(out)< Connection: keep-alive
(out)<403 Forbidden
(out)&lt;center&gt;
(out)&lt;h1&gt;403 Forbidden&lt;/h1&gt;
(out)&lt;/center&gt;&lt;hr&gt;&lt;center&gt;nginx/1.11.3&lt;/center&gt;
(out)* Curl_http_done: called premature == 0 * Connection #0 to host left intact

Testing without the annotation set:

  
curl -v -H "Host: whitelist.test.net" <HOST-IP>/graph
(out)* Trying <HOST-IP>...
(out)* TCP_NODELAY set
(out)* Connected to <HOST-IP> (<HOST-IP>) port 80 (#0)
(out)> GET /graph HTTP/1.1
(out)> Host: whitelist.test.net
(out)> User-Agent: curl/7.51.0
(out)> Accept: */*
(out)>
(out)< HTTP/1.1 200 OK
(out)< Server: nginx/1.11.3
(out)< Date: Tue, 07 Feb 2017 09:49:01 GMT
(out)< Content-Type: text/html; charset=utf-8
(out)< Transfer-Encoding: chunked
(out)< Connection: keep-alive
(out)* Curl_http_done: called premature == 0 
(out)* Connection #0 to host <HOST-IP> left intact

Using this simple annotation, you're able to restrict who can access the applications in your kubernetes cluster by its IPs.

Download the Cloud Native Attitude book for free

 

Comments
Leave your Comment