I've written a NGINX whitelister service inside my K8 cluster. Because everything entering the cluster goes through the load balancer, I had to whitelist the forwarded IP address instead of the source IP directly.

In testing, I hardcoded it like this in the NGINX config:

set_real_ip_from x.x.x.x;
real_ip_header X-Forwarded-For;

Where x.x.x.x was the IP of the load balancer.

This worked.

I can't hardcode the IP in the actual deployment, so I was hoping to use the kube-dns service, like I used for the proxy_pass:

resolver kube-dns.kube-system.svc.cluster.local;
proxy_pass http://{service}.{namespace}.svc.cluster.local:$server_port;

Which also works.

However, this DNS lookup doesn't seem to work for set_real_ip_from:

resolver kube-dns.kube-system.svc.cluster.local;
set_real_ip_from {load balancer service}.kube-system.svc.cluster.local;
real_ip_header X-Forwarded-For;

When I run this, I just get access forbidden by rule, client: x.x.x.x(it's not in the whitelist), where x.x.x.x is the load balancer's IP. That kinda makes sense, since set_real_ip_from probably doesn't know to lookup the IP.

Is it possible to have NGINX do a DNS lookup for the forwarder address?

If not, maybe someone has a better way to do this.

Thanks!