Hi all
I am trying to use the whitelist function of Ingress (nginx) in connection with DigitalOcean managed Kubernetes and DO LoadBalancer.
But somehow this doesn’t seem to work. Or I don’t understand how it should work.
I have an ingress definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/wihtelist-source-range: "xx.xxx.x.xxx,xx.xxx.x.xxx/32"
name: service
namespace: ioneaccess
spec:
ingressClassName: nginx
rules:
- host: service.my-company.work
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: service
port:
number: 8181
tls:
- hosts:
- service.my-company.work
secretName: service-tls
Using the “whitelist-source-range” annotation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
This works as far as it goes. But not quite. Now I get a 403 Forbidden. But if I now call the service with a shared IP address, I still get a 403.
Now what I find interesting / strange is the log statement from nginx:
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /service/v1/ping HTTP/2.0", host: "service.my-company.work"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /service/v1/ping HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 28 0.000 [my-company-service-8181] [] - - - - 388681cd5eaf49c126c73c94b248025d
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /favicon.ico HTTP/2.0", host: "service.my-company.work", referrer: "https://service.my-company.work/service/v1/ping"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /favicon.ico HTTP/2.0" 403 548 "https://service.my-company.work/service/v1/ping" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 25 0.000 [my-company-service-8181] [] - - - - c08fae8aabca60eca1ebf7babcb723
And now that I have written everything, I have probably found the solution:
I think I installed Ingress in our cluster like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml
And not like this (DO specific)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml
And now the logs of Nginx show the correct IP (remote) and not a 10.* and everything works as desired.
I will leave this post as it is. Maybe it will help someone.
But maybe someone could explain what the difference is in the deployment?
Thank you + greetings Marcel
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
There is a typo in your yaml file: You have
https://nginx.ingress.kubernetes.io/wihtelist-source-range
: “wihtelist” instead of “whitelist”.Hi there,
That is super helpful Marcel! Thank you so much for taking the time and sharing this with the community!
Best,
Bobby