Question

nginx ingress wihtelist-source-range

Hi all

I am trying to use the whitelist function of Ingress (nginx) in connection with DigitalOcean managed Kubernetes and DO LoadBalancer.

But somehow this doesn’t seem to work. Or I don’t understand how it should work.

I have an ingress definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/wihtelist-source-range: "xx.xxx.x.xxx,xx.xxx.x.xxx/32"
  name: service
  namespace: ioneaccess
spec:
  ingressClassName: nginx
  rules:
    - host: service.my-company.work
      http:
        paths:
        - pathType: ImplementationSpecific
          backend:
            service:
              name: service
              port:
                number: 8181
  tls:
    - hosts:
        - service.my-company.work
      secretName: service-tls

Using the “whitelist-source-range” annotation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

This works as far as it goes. But not quite. Now I get a 403 Forbidden. But if I now call the service with a shared IP address, I still get a 403.

Now what I find interesting / strange is the log statement from nginx:

2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /service/v1/ping HTTP/2.0", host: "service.my-company.work"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /service/v1/ping HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 28 0.000 [my-company-service-8181] [] - - - - 388681cd5eaf49c126c73c94b248025d
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /favicon.ico HTTP/2.0", host: "service.my-company.work", referrer: "https://service.my-company.work/service/v1/ping"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /favicon.ico HTTP/2.0" 403 548 "https://service.my-company.work/service/v1/ping" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 25 0.000 [my-company-service-8181] [] - - - - c08fae8aabca60eca1ebf7babcb723

And now that I have written everything, I have probably found the solution:

I think I installed Ingress in our cluster like this:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml

And not like this (DO specific)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml

And now the logs of Nginx show the correct IP (remote) and not a 10.* and everything works as desired.

I will leave this post as it is. Maybe it will help someone.

But maybe someone could explain what the difference is in the deployment?

Thank you + greetings Marcel

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Daniel ViguerasMay 23, 2023

There is a typo in your yaml file: You have https://nginx.ingress.kubernetes.io/wihtelist-source-range : “wihtelist” instead of “whitelist”.

Bobby Iliev
Site Moderator
Site Moderator badge
May 22, 2023

Hi there,

That is super helpful Marcel! Thank you so much for taking the time and sharing this with the community!

Best,

Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up