Preserve client IP in GKE

Question

I have a backend application behind an nginx ingress controller in a GKE cluster and I want to whitelist a certain IP only to access it. I added to the associated ingress this annotation:

nginx.ingress.kubernetes.io/whitelist-source-range: "my-ip/32"

I also have the externalTrafficPolicy set to Local in the ingress controller service.

The issue is that when I hit my application it always return 403 Forbidden And in the ingress controller logs when I hit the application it logs access forbidden by rule, client: 127.0.0.1, server: my-appliaction.domain.ext which means that the client IP is not forwarded to the ingress controller.

Here is my Ingress manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my_app
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: x.x.x.x/32
spec:
  ingressClassName: nginx
  rules:
  - host: my_app.company.com
    http:
      paths:
      - backend:
          service:
            name: my_app
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - my_app.company.com
    secretName: certificate.tls

Did I miss something?

Thanks in advance.

Answer 1

To preserve client IP in GKE we can follow the below 2 methods:

Method 1: If you want to configure the client ip to all ingress rules, we have to set this ip globally and the whitelist-source-range value should be set in the NGINX ConfigMap in whitelist-source-range. You can use the ngx_http_access_module.

Note: All ingress-controllers will not support whitelisting, you can cross check your ingress-controller from this document.

Method 2 : If you don't want to configure the ip to all your ingress rules - you need to create two separate ingresses. First ingress is for white listing hosts and the second ingress is for your host.

For more information refer to this Stack Question.

Regarding 403 Forbidden error refer to this Serverfault Question.