11

I know I can whitelist IPs for the entire ingress object, but is there a way to whitelist IPs for individual paths? For example, if I only want to allow /admin to be accessed from 10.0.0.0/16?

ingress.yml:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80
cclloyd
  • 8,171
  • 16
  • 57
  • 104

3 Answers3

8

If you would like to split it two Ingres, it would look like example below. First Ingress with /admin path and annotation and second Ingress with others paths allowed by any IP.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-admin
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-all
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

Please keep in mind that annotation nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" will override some of your config. As mentioned in Nginx docs:

Adding an annotation to an Ingress rule overrides any global restriction.


Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module.

As in Nginx config, each path is saved as

location / {
  ...
}

location /api {
  ...
}

you can add thoses restrictions there. Below example:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}
PjoterS
  • 12,841
  • 1
  • 22
  • 54
2

you can try deviding the ingress in parts. i created two ingress both having diff. path and you can change whitelisting IP

1 : 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80

2 : 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend-two
              servicePort: 80
Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
0

Did you resolve the issue? I can't figure out, how to use this option, from the previous answer

Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module

Can you provide example, please?

Dividing to several ingresses - it's very unsuitable for some cases =(

I've just find another solution (but i think solution from previous answer more pretty): You can use annotation nginx.ingress.kubernetes.io/server-snippet and write, like directly in nginx.conf

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-snippet

https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/

Wojtek_B
  • 4,245
  • 1
  • 7
  • 21
ssk
  • 33
  • 1
  • 4
  • The best option I found was just to have 2 different ingress manifests, though I didn't have time to do much research after I got it working with 2 ingresses. – cclloyd Mar 11 '20 at 20:22