4

We have a kubernetes ingress on our cluster. We wanted to restrict access to it to only those accessing it from within our LAN (10.0.0.0/16). So in the ingress annotations, I have nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16".

But this allows traffic from anywhere still. Setting it to 10.0.0.0/24 (our DHCP range), it doesn't allow any traffic at all.

When I check the nginx-ingress-controller logs, I see

10.0.10.1 - - [15/Oct/2019:05:40:46 +0000] "GET / HTTP/2.0" 200 2073 "-" "curl/7.54.0" 38 0.019 [wfs-ipa-8443] [] 10.0.1.2:8443 2073 0.020 200 a2d2053149dd26a490251439629134ff

This shows that it sees the source IP as the node the ingress controller pod is currently running on. How can I make it so that it sees the source IP as either their LAN IP, or the single WAN IP we have?

Edit:

ingress.yml:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ipa
  namespace: wfs
  annotations:
    kubernetes.io/ingress.class: "nginx"
    certmanager.k8s.io/cluster-issuer: "letsencrypt-prod"
    ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/use-proxy-protocol: "true"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"

spec:
  tls:
    - hosts:
        - ipa.example.com
      secretName: ipa-tls
  rules:
    - host: ipa.example.com
      http:
        paths:
          - backend:
              serviceName: ipa
              servicePort: 8443
            path: /
cclloyd
  • 583
  • 1
  • 13
  • 24
  • Can you post the whole ingress.yaml? – Crou Oct 15 '19 at 08:25
  • @Crou added it in my edit. – cclloyd Oct 16 '19 at 06:57
  • Can you do `kubectl get -n wfs ingress ipa -o yaml` and check if k8s correctly understands the annotations? – Crou Oct 23 '19 at 08:04
  • Do you have Kubernetes on bare-metal or Managed Kubernetes Service ? Maybe your environment supports the`externalTrafficPolicy` feature. Look at: [Preserving the client source IP](https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip). – matt_j Feb 23 '21 at 12:30
  • 1
    @matt_j It's on premise, and I use MetalLB for load balancing. And yes, `externalTrafficPolicy` worked. – cclloyd Feb 23 '21 at 14:13

1 Answers1

5

This is an old question probably resolved by the author, but for other community members I decided to provide an answer with a few explanations.

The source IP seen in the NGINX Ingress Controller Container is not the original source IP of the client. To enable preservation of the client IP set service.spec.externalTrafficPolicy to Local in the Service configuration file ( see Preserving the client source IP documentation ).

If you already have kubernetes/ingress-nginx deployed, you can use below command to configure this field:

$ kubectl patch svc <INGRESS_CONTROLLER_SERVICE_NAME> -p '{"spec":{"externalTrafficPolicy":"Local"}}'

If you would like to enable client source IP preservation during the installation of kubernetes/ingress-nginx, add --set controller.service.externalTrafficPolicy=Local to the Helm install command.

Additionally, you can find useful information in this Kubernetes documentation.

matt_j
  • 350
  • 2
  • 6