Question

Whitelisted IP not working with Nginx-Ingress Load Balancer

Posted November 16, 2020 1.8k views
NginxLoad BalancingKubernetesDigitalOcean Managed Kubernetes

I deployed an App that is running fine in my cluster. During the cluster creation I installed the Nginx-Ingress, created a k8s Ingress and configured the Forwarding Rules of the load balancer as HTTPS with a valid certificate. All this is working fine. My Ingress is as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/externalTrafficPolicy: Local
spec:
  rules:
  - host: dev.mysite.com
    http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: bkendapi
            port:
              number: 8005
      - path: /rec
        pathType: Prefix
        backend:
          service:
            name: bkendrec
            port:
              number: 5005

All this is working fine.

Now I am trying to add a Whitelist, this is the first time I am doing it, to do so I added the following line under annotations.

nginx.ingress.kubernetes.io/whitelist-source-range: xxx.xxx.xxx.xxx

Where the xxx.xxx.xxx.xxx is an IP of a specific DO droplet that will connect to the cluster. But now everything get blocked, I can not access the cluster from the whitelisted IP or from anywhere else. I tried different IPs but failed.

Please, what am I doing wrong/missing?

Thanks!

1 comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

I contacted DO about this issue (end of November 2020). They told me what I am trying to do is not possible as they did not implemented whitelisting in their kubernetes. Their reply stated:

Whitelisting isn’t supported on our clusters. When nodes are recycled, their IP is commonly replaced and there is no option to save these IPs or realistically create white lists as these change.
We typically recommend placing something like a Droplet in front of the cluster as a gateway that can be whitelisted.

Therefore I will switch back to the default LoadBalancer (without Nginx-Ingress) as the sole reason that I tried to use it was because of the whitelisting.