Question

How do I create an IP whitelist in DigitalOcean Kubernetes clusters?

Posted August 1, 2019 1.7k views
Kubernetes
  • request.headers[“x-real-ip”] doesn’t apppear to have the real external ip address
  • DO firewall is attached to the K8s cluster but is already whitelisted to internal ips only as the load balancer only has access to the cluster
  • can’t attach a DO firewall to the load balancer
edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi there,

One way I can think that you can achieve this is to use an ingress controller like nginx.

Expose the nginx ingress controller as a ‘LoadBalancer’. Then use service annotations to configure the nginx whitelist per the docs here.

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

This will allow you to manage traffic more fine grained via your ingress controller and ingress rules.

Hope this helps!

Regards,

John Kwiatkoski
Senior Developer Support Engineer

  • That does not seems to work.
    The IP receive by the ingress is not the same as the origin client.
    I could not find a way to fix it yet.

  • Is there any plan to address this properly? It’s kind of a dealbreaker, and we may be forced to move our cluster to another service provider unless it can be supported out of the box – and asking that we setup a complex mmproxy / IPTables hack on every pod we deploy is absurd and doesn’t count.

    Whether or not they’re running on Kubernetes shouldn’t not effect whether or not we can IP whitelist services we’re hosting on DO.

    We never would have decided to use DO as our managed Kubernetes provider if it had occurred to us that such a baseline use case might be unsupported.

    • Update: Found documentation from another managed Kubernetes provider which worked and was much more simple to configure than iptables/mmproxy on every pod.

      If you’re you’re using the nginx-ingress helm chart from stable, its a matter of running the following, replacing the “XX.XX.XX.XX/XX” with the CIDR block you want to whitelist.

      cat <<EOF > nginx-ingress-controller-helm-values.yaml
      controller:
          publishService:
              enabled: true
          config:
              use-forward-headers: "true"
              compute-full-forward-for: "true"
              use-proxy-protocol: "true"
          service:
              annotations:
                loadbalancer.openstack.org/proxy-protocol: "true"
                service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
                nginx.ingress.kubernetes.io/whitelist-source-range: "XX.XX.XX.XX/XX"
      EOF
      

      And then (assuming your helm chart name is “nginx-ingress”)

      helm upgrade nginx-ingress stable/nginx-ingress -f nginx-ingress-controller-helm-values.yaml
      
Submit an Answer