DigitalOcean

Question

nginx ingress wihtelist-source-range

Hi all

I am trying to use the whitelist function of Ingress (nginx) in connection with DigitalOcean managed Kubernetes and DO LoadBalancer.

But somehow this doesn’t seem to work. Or I don’t understand how it should work.

I have an ingress definition:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/wihtelist-source-range: "xx.xxx.x.xxx,xx.xxx.x.xxx/32"
  name: service
  namespace: ioneaccess
spec:
  ingressClassName: nginx
  rules:
    - host: service.my-company.work
      http:
        paths:
        - pathType: ImplementationSpecific
          backend:
            service:
              name: service
              port:
                number: 8181
  tls:
    - hosts:
        - service.my-company.work
      secretName: service-tls

Using the “whitelist-source-range” annotation: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range

This works as far as it goes. But not quite. Now I get a 403 Forbidden. But if I now call the service with a shared IP address, I still get a 403.

Now what I find interesting / strange is the log statement from nginx:

2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /service/v1/ping HTTP/2.0", host: "service.my-company.work"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /service/v1/ping HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 28 0.000 [my-company-service-8181] [] - - - - 388681cd5eaf49c126c73c94b248025d
2023/05/22 11:51:05 [error] 362#362: *149896 access forbidden by rule, client: 10.135.*.*, server: service.my-company.work, request: "GET /favicon.ico HTTP/2.0", host: "service.my-company.work", referrer: "https://service.my-company.work/service/v1/ping"
10.135.*.* - - [22/May/2023:11:51:05 +0000] "GET /favicon.ico HTTP/2.0" 403 548 "https://service.my-company.work/service/v1/ping" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" 25 0.000 [my-company-service-8181] [] - - - - c08fae8aabca60eca1ebf7babcb723

And now that I have written everything, I have probably found the solution:

I think I installed Ingress in our cluster like this:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/cloud/deploy.yaml

And not like this (DO specific)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.7.1/deploy/static/provider/do/deploy.yaml

And now the logs of Nginx show the correct IP (remote) and not a 10.* and everything works as desired.

I will leave this post as it is. Maybe it will help someone.

But maybe someone could explain what the difference is in the deployment?

Thank you + greetings Marcel

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Frank PetersJanuary 18, 2024

This comment has been deleted

    tferlandSeptember 29, 2023

    I have the exact same issue. I installed ingress with helm:

    helm -n nginx-ingress install nginx-ingress -f helm/nginx-ingress/values.yaml ingress-nginx/ingress-nginx

    I’ll try this solution: https://docs.digitalocean.com/support/how-to-enable-proxy-protocol-when-load-balancer-sends-requests-to-nginx-ingress-controller/

    I’ll let you know if it works.

    Daniel ViguerasMay 23, 2023

    There is a typo in your yaml file: You have https://nginx.ingress.kubernetes.io/wihtelist-source-range : “wihtelist” instead of “whitelist”.

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Get our biweekly newsletter

    Sign up for Infrastructure as a Newsletter.

    Sign up

    Hollie's Hub for Good

    Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

    Learn more

    Become a contributor

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    Learn more

    Featured on Community
    Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
    DigitalOcean Products
    CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
    Welcome to the developer cloud

    DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

    Learn more
    DigitalOcean Cloud Control Panel
    © 2024 DigitalOcean, LLC.Sitemap.