Restrict access to k8s service by using ingress nginx controller

Siradj-Eddine-Fisli · February 16, 2024, 1:08pm

I’am trying to restrict access to a pod deployed in k8s cluster, i’am using nginx controller, and i used these annotations in my ingress resource:

nginx.ingress.kubernetes.io/whitelist-source-range: <ip/mask>
nginx.ingress.kubernetes.io/proxy-protocol: "true".

The problem is the ip sent is not the original client ip , instead its node ip even tho i added proxy-protocol: true.

Is there anyway to route the request with the original client ip ? or other way to restrict the access ??

rob_kodekloud · February 16, 2024, 4:10pm

If I understand what you’re trying to do – and I’m not sure I do – then an ingress resource may be the wrong tool. You probably want a network policy here. These ingress annotations are probably intended to block/allow public IP addresses you want or do not want the ingress to servce.

Siradj-Eddine-Fisli · February 16, 2024, 4:16pm

i want to restrict external access to my web app, same issue here (kubernetes - nginx ingress on kuberentes sees node ip address instead of the public internet resource requestor - Stack Overflow) but it did not solve my case (nginx controller default value is Local: nginx-ingress 1.1.2 · nginx/nginx).

rob_kodekloud · February 16, 2024, 5:45pm

Is your ingress controller configured to use a NodePort service or a LoadBalancer service? I’m not clear as to why the node’s IP address would come into this.

Siradj-Eddine-Fisli · February 16, 2024, 6:06pm

exactly ! that whats confusing me, it’s loadbalancer. maybe the kube-proxy doing some stuffs i don’t know!

rob_kodekloud · February 16, 2024, 6:24pm

This is a use case I haven’t dealt with personally, but there’s a blog post that’s on-point that you might want to look at, to see if you’re using the annotations correctly, and which annotations you need to get this to work.

Siradj-Eddine-Fisli · February 16, 2024, 7:52pm

Actually i followed the same tutorial, when i configured this:

controller.service.externalTrafficPolicy=Local

instead of giving me back the public address of the node and saying access forbidden now its returning the internal ip, here are the logs:

2024/02/16 19:09:10 [error] 1641#1641: *322008 access forbidden by rule, client: 10.11.2.165, server:endpoint.com, request: "GET /version.json HTTP/2.0", host: "endpoint.com", referrer: "https://endpoint.com/login"

But in the blog its returning the original client address.

rob_kodekloud · February 16, 2024, 8:12pm

This is a problem you’ll get better information about via Kubernete’s slack server; they have a #ingress-nginx-users channel that seems to be fairly active. You can probably find someone there who knows how to use the annotations in question.

Siradj-Eddine-Fisli · February 16, 2024, 8:15pm

Alright will do, thanks a lot for your efforts.

rob_kodekloud · February 16, 2024, 9:16pm

Happy to help, where I can