EKS block a single IP

6/29/2021

Please ease my suffering here: I'm trying to block a single IP from getting to one of the sites hosted on EKS. I've tried the server-snippet annotation, but it didn't work. I've also tried creating a network policy to block, no luck. Any idea how to set up a list of restricted IPs?

Here's the Network Policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: web-dev-network-policy
  namespace: target_namespace
spec:
  podSelector:
    matchLabels:
      app: php
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: source_ip_value/32
    ports:
    - protocol: TCP
      port: 80

And here's the server-snippet:

nginx.ingress.kubernetes.io/server-snippet: |
  location / {
      deny  source_ip;
    }

Edit: When monitoring incoming requests for the domain, I can see that CoreDNS rewrites the requests (I suppose) to match the service name where the site is hosted. I guess that's why the location / doesn't match the request and is allowed, ex.:

source.ip.address - - [time/date] "HEAD / HTTP/2.0" 200 0 "-" "curl/7.58.0" 54 0.382 [service-name-service-name-80] [] private.ip:80 0 0.384 200 7a06748e7395fbsssceb737723399919
-- AyCaramba
amazon-eks
ip-restrictions
iptables
kubernetes
kubernetes-networkpolicy

1 Answer

7/7/2021

This is a community wiki answer. Feel free to expand it.

It is worth noting that according to the official docs:

Cluster ingress and egress mechanisms often require rewriting the source or destination IP of packets. In cases where this happens, it is not defined whether this happens before or after NetworkPolicy processing, and the behavior may be different for different combinations of network plugin, cloud provider, Service implementation, etc.

In the case of ingress, this means that in some cases you may be able to filter incoming packets based on the actual original source IP, while in other cases, the "source IP" that the NetworkPolicy acts on may be the IP of a LoadBalancer or of the Pod's node, etc.

However as you already mentioned in the comments:

We've put this on hold for the moment as it seems there's no way of filtering client IP addresses without enabling the proxy protocol, which would mean a rework of a production Ingress. For now we'll have to satisfy with AWS WAF

-- WytrzymaƂy Wiktor
Source: StackOverflow