Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kubernetes whitelist-source-range blocks instead of whitelist IP

Tags:

nginx

google-compute-engine

kubernetes

Running Kubernetes on GKE

Installed Nginx controller with latest stable release by using helm.

Everythings works well, except adding the whitelist-source-range annotation results in that I'm completely locked out from my service.

Ingress config

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: staging-ingress
  namespace: staging
  annotations:
    kubernetes.io/ingress.class: nginx
    ingress.kubernetes.io/whitelist-source-range: "x.x.x.x, y.y.y.y"
spec:
  rules:
    - host: staging.com
      http:
        paths:
        - path: /
          backend:
            serviceName:staging-service
            servicePort: 80

I connected to the controller pod and checked the nginx config and found this:

# Deny for staging.com/
geo $the_real_ip $deny_5b3266e9d666401cb7ac676a73d8d5ae {
    default 1;

    x.x.x.x 0;
    y.y.y.y 0;
}

It looks like he is locking me out instead of whitelist this IP's. But it also locking out all other addresses... I get 403 by going from staging.com host.

like image 842
λ Allquantor λ Avatar asked Dec 27 '17 10:12

λ Allquantor λ

Video Answer

2 Answers

Yes. However, I figured out by myself. Your service has to be enabled externalTrafficPolicy: Local. That means that the actual client IP should be used instead of the internal cluster IP.

To accomplish this run kubectl patch svc nginx-ingress-controller -p '{"spec":{"externalTrafficPolicy":"Local"}}'

like image 93
λ Allquantor λ Avatar answered Oct 13 '22 22:10

λ Allquantor λ

Your nginx controller service has to be set as externalTrafficPolicy: Local. That means that the actual client IP will be used instead of cluster's internal IP.

You need to get the real service name from kubectl get svc command. The service is something like:

NAME                                          TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                      AGE
nobby-leopard-nginx-ingress-controller        LoadBalancer   10.0.139.37    40.83.166.29   80:31223/TCP,443:30766/TCP   2d

nobby-leopard-nginx-ingress-controller is the service name you want to use.

To finish this, run kubectl patch svc nobby-leopardnginx-ingress-controller -p '{"spec":{"externalTrafficPolicy":"Local"}}'

When you setting up a new nginx controller, you can use the command below:

helm install stable/nginx-ingress \
  --namespace kube-system \
  --set controller.service.externalTrafficPolicy=Local`

to have a nginx ingress controller accept whitelist after installing.

like image 34
Gao Shenghan Avatar answered Oct 14 '22 00:10

Gao Shenghan
Sign in to Comment

Related questions

Php7 and php5 on fedora at the same time
letsencrypt django webroot
Plesk 12.5 Nginx proxy pass SSL to Node app on different port
How do I configure my Nginx server to work with a React app in a subfolder?
Vagrant: config.vm.provision does not allow me to copy a file to etc/nginx/conf.d?
nginx - 404 not found page for permalinks [closed]
Why does $_SERVER["REMOTE_ADDR"] show a different IP than my external IP? [duplicate]
Injecting app level username/userid into nginx/Apache log
fallback for an nginx upstream proxy
Configuring Gunicorn: No application module specified
ERROR : invalid PID number "" in "/run/nginx.pid"
Using Google Compute Engine as a proxy for a Google App Engine web app
uWSGI installation exception on Amazon Linux EC2 instance
Django: How can I access celery flower page in production mode?
Elastic Beanstalk Nginx Serve Static Files
Where does nginx store default error pages
PHP-FPM and Nginx rewrite causing download [closed]
Nginx: how to let rewrite rules ignore files or folders
Gitlab on port 8080
Docker image NGINX not exposing : site cannot be reached

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!