Hi all
I am trying to use the whitelist function of Ingress (nginx) in connection with DigitalOcean managed Kubernetes and DO LoadBalancer.
But somehow this doesn’t seem to work. Or I don’t understand how it should work.
I have an ingress definition:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/wihtelist-source-range: "xx.xxx.x.xxx,xx.xxx.x.xxx/32"
name: service
namespace: ioneaccess
spec:
ingressClassName: nginx
rules:
- host: service.my-company.work
http:
paths:
- pathType: ImplementationSpecific
backend:
service:
name: service
port:
number: 8181
tls:
- hosts:
- service.my-company.work
secretName: service-tls
Using the “whitelist-source-range” annotation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
This works as far as it goes. But not quite. Now I get a 403 Forbidden. But if I now call the service with a shared IP address, I still get a 403.
Now what I find interesting / strange is the log statement from nginx:
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /service/v1/ping HTTP/2.0", host: "service.my-company.work"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /service/v1/ping HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 28 0.000 [my-company-service-8181] [] - - - - 388681cd5eaf49c126c73c94b248025d
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /favicon.ico HTTP/2.0", host: "service.my-company.work", referrer: "https://service.my-company.work/service/v1/ping"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /favicon.ico HTTP/2.0" 403 548 "https://service.my-company.work/service/v1/ping" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 25 0.000 [my-company-service-8181] [] - - - - c08fae8aabca60eca1ebf7babcb723
And now that I have written everything, I have probably found the solution:
I think I installed Ingress in our cluster like this:
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml
And not like this (DO specific)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml
And now the logs of Nginx show the correct IP (remote) and not a 10.* and everything works as desired.
I will leave this post as it is. Maybe it will help someone.
But maybe someone could explain what the difference is in the deployment?
Thank you + greetings Marcel
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Start building today
From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.
