Hello anyone who reads this,
I’m looking for a way to restrict access to a publically exposed service (type LoadBalancer) at 234.234.234.234:1234 to a specific trusted IP at 123.123.123.123.
The way to do this seems to be via
nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/32
as described in articles such as this: https://medium.com/@maninder.bindra/using-nginx-ingress-controller-to-restrict-access-by-ip-ip-whitelisting-for-a-service-deployed-to-bd5c86dc66d6
However, this runs into a problem because the default externalTrafficPolicy being set to "Cluster" obfuscates the sender IP to some local bs even for the bloody Ingress controller.
The solution to this appears to be to set controller.service.externalTrafficPolicy to Local, but I’m not sure about the ramifications of that since it changes the entire way of addressing pods and I’ve read some posts about performance issues with this approach.
There is also the problem that the resource in question already exists and I’d have to recreate it fully, apparently. Every post I’ve read on this seems to assume your resource doesn’t exist yet.
I wonder if there is a way to lift the source IP obfuscation without a change as large-looking as that.
2
Answers
"Setting the externalTrafficPolicy to Local comes with potential downsides such as Load Distribution: Traffic is only sent to nodes with relevant pods or in case of pod failures, the service won't reroute traffic to other nodes unless a relevant pod is available on those nodes." - Arko
This explanation resolved my doubts about using externalTrafficPolicy: Local in my specific use case.
To implement IP whitelisting in a public Kubernetes service with the Nginx Ingress controller, you need to configure the
externalTrafficPolicy
toLocal
to preserve the client’s IP address. By default, theexternalTrafficPolicy
is set toCluster
, which means that traffic from the client is routed to any node in the cluster, and this can obfuscate the original client IP address.To retain the client’s IP address, set the
externalTrafficPolicy
toLocal
for your LoadBalancer service:example
This setting ensures that external traffic is routed directly to the nodes where the pods are running, preserving the client’s IP address.
You can update an existing service by applying this configuration, or you can patch the service using
Next, configure the Ingress resource for IP whitelisting using the
nginx.ingress.kubernetes.io/whitelist-source-range
annotation:example
This configuration restricts access to the Ingress to the specified IP address
123.123.123.123
and will use IP whitelisting in Nginx Ingress for a public service, settingexternalTrafficPolicy
toLocal
and preserve the client IP.Another way to restrict access to a publicly exposed service in AKS is you can use the
nginx.ingress.kubernetes.io/whitelist-source-range
annotation to whitelist a specific trusted IP. However, the defaultexternalTrafficPolicy
being set to "Cluster" can obfuscate the sender IP, even for the Ingress controller. To lift the source IP obfuscation without changing theexternalTrafficPolicy
, you can use thenginx.ingress.kubernetes.io/real-ip-header
annotation to specify the header that contains the real IP address of the client. Set the value toX-Forwarded-For
to use theX-Forwarded-For
header.example-
This example uses the
nginx.ingress.kubernetes.io/real-ip-header
annotation to specify theX-Forwarded-For
header as the header that contains the real IP address of the client. This allows you to lift the source IP obfuscation without changing theexternalTrafficPolicy
.Using either
externalTrafficPolicy: Local
or thereal-ip-header
annotation withX-Forwarded-For
approach to achieve IP whitelisting with Nginx Ingress in AKS are valid, and the choice between them depends on the specific requirements and network architecture.References: