Kubernetes Quick Tip: Whitelisting source IP with Ingress in Kubertenes

 

by Michael Müller

If you are using Ingress on your Kubernetes cluster it is possible to restrict access to your application based on dedicated IP addresses. One possible use case would be that you have a development setup and don’t want to make all the fancy new features available to everyone, especially competitors. In such cases, IP whitelisting to restrict access can be used .This can be done with specifying the allowed client IP source ranges through the ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDR block, e.g. 10.0.0.0/24,1.1.1.1/32.

If you want to set a default global set of IPs this needs to be set in the config of the ingress-controller. In the example below we use the NGINX ingress-controller and could set that default value in the config-map used for the ingress-controller. The global value can be overwritten using annotation in the Ingress rule. Please note that not all ingress-controllers support whitelisting, please check the documentation of the ingress-controller you’re using.

The configuration:

Testing with the annotation set:

Testing without the annotation set:

Using this simple annotation, you’re able to restrict who can access the applications in your kubernetes cluster by its IPs.

The following two tabs change content below.

Michael Müller

Michael has 15+ years of international experience in IT. Before joining Container Solutions, Michael was Head of IT and Cloud Innovations at Swisscom. Together with his team, he established DevOps, Microservices and Containerized Infrastructures at Swisscom.

2 Comments

  1. So, how does one do this using nginx running inside k8s as a deployment and frontending multi datacenter services.
    Since kube-proxy does not follow the proxy protocol, an nginx inside the cluster would never know the real public IP it needs to block or allow.
    Thoughts?

    • Hi Krish, NGINX ingress isn’t using services (kube-proxy) to route traffic to the pods. Instead it uses the Endpoints API. So using the proxy-protocol should work, but you also need to enable it using a ConfigMap .

Leave a Reply

Your email address will not be published. Required fields are marked *