We have a kubernetes ingress on our cluster. We wanted to restrict access to it to only those accessing it from within our LAN (10.0.0.0/16
). So in the ingress annotations, I have nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
.
But this allows traffic from anywhere still. Setting it to 10.0.0.0/24
(our DHCP range), it doesn't allow any traffic at all.
When I check the nginx-ingress-controller logs, I see
10.0.10.1 - - [15/Oct/2019:05:40:46 +0000] "GET / HTTP/2.0" 200 2073 "-" "curl/7.54.0" 38 0.019 [wfs-ipa-8443] [] 10.0.1.2:8443 2073 0.020 200 a2d2053149dd26a490251439629134ff
This shows that it sees the source IP as the node the ingress controller pod is currently running on. How can I make it so that it sees the source IP as either their LAN IP, or the single WAN IP we have?
Edit:
ingress.yml
:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ipa
namespace: wfs
annotations:
kubernetes.io/ingress.class: "nginx"
certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/use-proxy-protocol: "true"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- ipa.example.com
secretName: ipa-tls
rules:
- host: ipa.example.com
http:
paths:
- backend:
serviceName: ipa
servicePort: 8443
path: /