Can Ingress route requests based on ip?

11/7/2019

I have been with K8s-ingress well so far but I have a question.

Can ingress route requests based on IP?

I've already know that ingress do routing based on hosts like a.com, b.com... to each services and URI like path /a-service/, /b-service/ to each services.

However, I'm curious with the idea that Ingress can route by IP? I'd like requests from my office(certain ip) to route a specific service for tests.

Does it make sense? and any idea for that?

-- sunsets
kubernetes
kubernetes-ingress

3 Answers

11/7/2019

This is not part of the main Ingress abstraction as you noted, however many Ingress Controllers offer extra features through annotations or secondary CRDs. So in theory it could be added like that. I don't think any do routing like this though, so in practical terms, probably not available off the shelf.

-- coderanger
Source: StackOverflow

11/7/2019

As coderanger stated in his answer, ingress does not have it by default.

I'm not sure if IP based routing is the way to proceed, because how will you test/hit actual deployments/services from Office IP's when needed?

I think you can add a check to perform routing based on IP and header. For ex: you can pass a header 'redirect-to-test: true'. So if you set this to false, you can still access the production services.

-- Ankit Deshpande
Source: StackOverflow

11/7/2019

If this is just for testing I would just whitelist the IP. You can read the docs about nginx ingress annotations

You can specify allowed client IP source ranges through the nginx.ingress.kubernetes.io/whitelist-source-range annotation. The value is a comma separated list of CIDRs, e.g. 10.0.0.0/24,172.10.0.1.

Example yaml might look like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: whitelist
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1/24"
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /
        backend:
          serviceName: echoheaders
          servicePort: 80

Also it looks like you can do that in Istio (I did not tried it) in kind ServiceRole and ServiceRoleBinding for specifying detailed access control requirements. For this you would use source.ip property. It's explained on Constraints and Properties

-- Crou
Source: StackOverflow