I want to restrict the access to the application to few ip addresses.
I used the following configuration :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/externalTrafficPolicy: Local
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/whitelist-source-range: <my-ip>/32
name: ingress
namespace: default
spec:
tls:
- hosts:
- <app-url>
secretName: <secret>
rules:
- host: <app-url>
http:
paths:
- backend:
service:
name: front-prep
port:
number: 80
path: /
pathType: Prefix
With this configuration, all ips are blocked.
When I look up the nginx-ingress logs I can see that :
10.124.1.3 - - [03/Aug/2022:08:08:28 +0000] "GET /dashboard HTTP/2.0" 403 548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36" 26 0.000 [default-front-prep-80] [] - - - - b143cfdcde953a8d45eef6bbcb76ade8
2022/08/03 08:08:28 [error] 2558#2558: *745681 access forbidden by rule, client: 10.124.1.3, server: <app-url>, request: "GET /favicon.ico HTTP/2.0", host: "<app-url>", referrer: "<app-url>"
The ip is not my own ip.
Can you tell me what is the problem with my config (I’m new in k8 🙂 )?
2
Answers
I solved my problem by following this guide : https://docs.ovh.com/ie/en/kubernetes/getting-source-ip-behind-loadbalancer/
The problem came from the preservation of client ip.
For me the problem was that I was whitelisting the public ip of the VM that hosted my API while the VM and kubernetes were on the same network. So, the API was making calls to kubernetes with the VM’s internal IP.
After all, I whitelisted the VM’s internal IP and the problem was solved.