Kubernetes Ingress Whitelist IP for path
Solution 1
If you would like to split it two Ingres, it would look like example below. First Ingress with /admin path and annotation and second Ingress with others paths allowed by any IP.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-admin
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /admin
backend:
serviceName: api
servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-all
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
Please keep in mind that annotation nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" will override some of your config. As mentioned in Nginx docs:
Adding an annotation to an Ingress rule overrides any global restriction.
Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module.
As in Nginx config, each path is saved as
location / {
...
}
location /api {
...
}
you can add thoses restrictions there. Below example:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
Solution 2
you can try deviding the ingress in parts. i created two ingress both having diff. path and you can change whitelisting IP
1 :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
2 :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend-two
servicePort: 80
cclloyd
Updated on June 06, 2022Comments
-
cclloyd almost 2 years
I know I can whitelist IPs for the entire ingress object, but is there a way to whitelist IPs for individual paths? For example, if I only want to allow
/adminto be accessed from10.0.0.0/16?ingress.yml:--- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: frontend namespace: default labels: app: frontend annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-prod" #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: tls: - hosts: - frontend.example.com secretName: frontend-tls rules: - host: frontend.example.com http: paths: - path: / backend: serviceName: frontend servicePort: 80 - path: /api backend: serviceName: api servicePort: 8000 - path: /admin backend: serviceName: api servicePort: 8000 - path: /staticfiles backend: serviceName: api servicePort: 80