Kubernetes Ingress whitelist-source-range for LAN

nginx kubernetes

We have a kubernetes ingress on our cluster. We wanted to restrict access to it to only those accessing it from within our LAN (10.0.0.0/16). So in the ingress annotations, I have nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16".

But this allows traffic from anywhere still. Setting it to 10.0.0.0/24 (our DHCP range), it doesn't allow any traffic at all.

When I check the nginx-ingress-controller logs, I see

10.0.10.1 - - [15/Oct/2019:05:40:46 +0000] "GET / HTTP/2.0" 200 2073 "-" "curl/7.54.0" 38 0.019 [wfs-ipa-8443] [] 10.0.1.2:8443 2073 0.020 200 a2d2053149dd26a490251439629134ff

This shows that it sees the source IP as the node the ingress controller pod is currently running on. How can I make it so that it sees the source IP as either their LAN IP, or the single WAN IP we have?

Edit:

ingress.yml:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ipa
  namespace: wfs
  annotations:
    kubernetes.io/ingress.class: "nginx"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/use-proxy-protocol: "true"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"

spec:
  tls:
    - hosts:
        - ipa.example.com
      secretName: ipa-tls
  rules:
    - host: ipa.example.com
      http:
        paths:
          - backend:
              serviceName: ipa
              servicePort: 8443
            path: /

Solution 1:

This is an old question probably resolved by the author, but for other community members I decided to provide an answer with a few explanations.

The source IP seen in the NGINX Ingress Controller Container is not the original source IP of the client. To enable preservation of the client IP set service.spec.externalTrafficPolicy to Local in the Service configuration file ( see Preserving the client source IP documentation ).

If you already have kubernetes/ingress-nginx deployed, you can use below command to configure this field:

$ kubectl patch svc <INGRESS_CONTROLLER_SERVICE_NAME> -p '{"spec":{"externalTrafficPolicy":"Local"}}'

If you would like to enable client source IP preservation during the installation of kubernetes/ingress-nginx, add --set controller.service.externalTrafficPolicy=Local to the Helm install command.

Additionally, you can find useful information in this Kubernetes documentation.

Related

How to limit memory usage by application in linux?
Configuring DKIM using DNS and hosting on VPS
NFS not allowing hosts specified in config to mount share
HSTS max-age not effective/no update in Nginx
Configuring multiple Ethernet connections in a linux server
Building VPN on web site hosted server safe for sites? [closed]
Why does sshpass still prompt for a password?
Qemu TRIM and discard on a physical SSD device
Possible to reset SMART logs?
How to connect backend to a mongodb docker container
How to better understand IPv6 to block requests
Docker Registry pull/push 443 only