Kubernetes Ingress Whitelist IP for path

11/19/2019

I know I can whitelist IPs for the entire ingress object, but is there a way to whitelist IPs for individual paths? For example, if I only want to allow /admin to be accessed from 10.0.0.0/16?

ingress.yml:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80
-- cclloyd
kubernetes
kubernetes-ingress
nginx

3 Answers

3/10/2020

Did you resolve the issue? I can't figure out, how to use this option, from the previous answer

Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module

Can you provide example, please?

Dividing to several ingresses - it's very unsuitable for some cases =(


I've just find another solution (but i think solution from previous answer more pretty): You can use annotation nginx.ingress.kubernetes.io/server-snippet and write, like directly in nginx.conf

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet

https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/

-- kikis
Source: StackOverflow

11/26/2019

If you would like to split it two Ingres, it would look like example below. First Ingress with /admin path and annotation and second Ingress with others paths allowed by any IP.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-admin
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-all
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

Please keep in mind that annotation nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" will override some of your config. As mentioned in Nginx docs:

Adding an annotation to an Ingress rule overrides any global restriction.

Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module.

As in Nginx config, each path is saved as

location / {
  ...
}

location /api {
  ...
}

you can add thoses restrictions there. Below example:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}
-- PjoterS
Source: StackOverflow

11/19/2019

you can try deviding the ingress in parts. i created two ingress both having diff. path and you can change whitelisting IP

1 :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80

2 :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend-two
              servicePort: 80
-- Harsh Manvar
Source: StackOverflow