You can use a custom nginx image and use a map to create a filter

// this in http section
map $geoip_country_code $allowed_country {
   default yes;
   UY      no;
   CL      no;
}

and

// this inside some location where you want to apply the filter
if ($allowed_country = no) {
   return 403;
}

First on GKE if you're using the nginx ingress controller, you should turn off the default GCE controller: https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md#disabling-glbc, otherwise they'll fight.

kubernetes doesn't forward the real customer ip to the containers

That's only true if you're going through kube-proxy with a service of type NodePort and/or LoadBalancer. With the nginx ingress controller you're running with hostPort, so it's actually the docker daemon that's hiding the source ip. I think later versions of docker default to the iptables mode, which shows you the source ip once again.

In the meanwhile you can get source ip by running the nginx controller like: https://gist.github.com/bprashanth/a4b06004a0f9c19f9bd41a1dcd0da0c8

That, however, uses host networking, not the greatest option. Inserted you can use the proxy protocol to get src ip: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx#proxy-protocol

Also (in case you didn't already realize) the nginx controller has the geoip module enabled by default: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx#nginx-status-page

Please open an issue if you need more help.

EDIT: proxy protocol is possible through the ssl proxy which is in alpha currently: https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/#proxy_protocol_for_retaining_client_connection_information