VANDEKERCKHOVE

A journey of ideas, insights, and inspiration.

Whitelisting IP addresses on Ingress-NGINX Fronted Kubernetes Services

Introduction

Securing your web applications is crucial in today’s threat landscape. Sometimes, you need to restrict access to only specific users or systems. For Kubernetes clusters, ingress-nginx provides a simple way to achieve this through IP whitelisting. In this post, we’ll explore how to set up and configure IP whitelisting for your Kubernetes applications using ingress-nginx annotations.

Why ?

In certain scenarios, it’s critical to limit access to your web application. For example:

  • Protecting admin dashboards or internal services.
  • Allowing only specific teams or offices to access the application.
  • Complying with security policies or regulations.

IP whitelisting ensures that only trusted IP addresses can access your service, adding an extra layer of security alongside authentication and TLS encryption.

Prerequisites

Before setting up IP whitelisting, ensure you have:

  1. A Kubernetes cluster with ingress-nginx installed and configured.
  2. Familiarity with creating and managing Kubernetes Ingress resources.
  3. The IP addresses or ranges you want to whitelist.
  4. Access to your cluster’s YAML configuration files or a GitOps workflow for deployment.

If ingress-nginx isn’t installed, follow the official guide.

Configuring IP Whitelisting in ingress-nginx

Let’s get to business:

  1. Open the YAML file for the ingress resource you want to protect.
  2. Add the nginx.ingress.kubernetes.io/whitelist-source-range annotation with the IPs or CIDR ranges you want to allow.
  3. Apply your manifest..

example ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.1/24,10.0.0.0/8"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: example-service
                port:
                  number: 80

Testing your configuration

After configuring your IP whitelisting, test to ensure it works as expected.
Try accessing your application from an allowed ip address by using your browser or a tool like curl:

curl -I http://example.com

You should see a succesful HTTP response (e.g., 200 OK).

Also try accessing your application from a non-whitelisted ip the same way.
This time a 403 Forbidden should appear.

The GitOps way !

As the above example shows you exactly what needs to happen , we all know this is not the way.
The following is an example for you to understand how this can be integrated using helm.

You can easily integrate this in your existing helmcharts.

ingress.yaml

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  namespace: "dev"
  annotations:    
    {{- if .Values.app.ingress.whitelist.enabled }}
    nginx.ingress.kubernetes.io/whitelist-source-range: |
      {{- range $index, $ip := .Values.app.ingress.whitelist.ipList }}
      {{ $ip.value }}{{ if lt (add1 $index) (len $.Values.app.ingress.whitelist.ipList) }},{{ end }}
      {{- end }}
    {{- end }}    
spec:
  ingressClassName: nginx
  rules:    
    - host: {{ .Values.app.ingress.host }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: "mywebservice"
                port:
                  number: 80

values.yaml

app:
  image:
    repository: myrepo
    tag: latest

  ingress:
    host: "example.com"
    whitelist:
      enabled: true
      ipList:
        - name: "The Office"
          value: "10.0.0.1/8"
        - name: "My grandmothers Windows XP machine"
          value: "192.168.1.36/32"

When applying the values file to the helmchart, templating will loop over the list of ip’s and add them all.
The “name”-value doesn’t actually do anything but it keeps things tidy and organized.

Conclusion

IP whitelisting is a simple yet effective way to enhance the security of your Kubernetes applications. By leveraging ingress-nginx annotations, you can easily control which IP addresses can access your services.
There’s a lot more that can be done with annotations, but that’s for another time.

Got questions or want to share your experience? Drop them in the comments below!

Sources

https://github.com/odileon-net/examples/tree/main/kubernetes/ingress-nginx/ip-whitelisting

https://docs.nginx.com/nginx-ingress-controller/installation

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow me for more content
Share this post if you liked it !

WANT ME TO BUILD YOUR PROJECT?

Comments

  1. Thanks , I’ve just been looking for information approximately this topic for a while and yours is the greatest I’ve found out so far. But, what about the conclusion? Are you certain about the supply?

    • Thanks,
      What do you mean , certain about the supply?