If you are using Ingress on your Kubernetes cluster it is possible to restrict access to your application based on dedicated IP addresses. One possible use case would be that you have a development setup and don't want to make all the fancy new features available to everyone, especially competitors. In such cases, IP whitelisting to restrict access can be used .This can be done with specifying the allowed client IP source ranges through the `ingress.kubernetes.io/whitelist-source-range` annotation. The value is a comma separated list of CIDR block, e.g. 10.0.0.0/24,22.214.171.124/32.
If you want to set a default global set of IPs this needs to be set in the config of the ingress-controller. In the example below we use the NGINX ingress-controller and could set that default value in the config-map used for the ingress-controller. The global value can be overwritten using annotation in the Ingress rule. Please note that not all ingress-controllers support whitelisting, please check the documentation of the ingress-controller you're using.
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: whitelist annotations: ingress.kubernetes.io/whitelist-source-range: "126.96.36.199/24" spec: rules: - host: whitelist.test.net http: paths: - path: / backend: serviceName: webserver servicePort: 80
Testing with the annotation set:
curl -v -H "Host: whitelist.test.net" /graph (out)* Trying ... (out)* TCP_NODELAY set (out)* Connected to () port 80 (#0) (out)> GET /graph HTTP/1.1 (out)> Host: whitelist.test.net (out)> User-Agent: curl/7.51.0 (out)> Accept: */* (out)> (out)< HTTP/1.1 403 Forbidden (out)< Server: nginx/1.11.3 (out)< Date: Tue, 07 Feb 2017 09:46:51 GMT (out)< Content-Type: text/html (out)< Content-Length: 169 (out)< Connection: keep-alive (out)<403 Forbidden (out)<center> (out)<h1>403 Forbidden</h1> (out)</center><hr><center>nginx/1.11.3</center> (out)* Curl_http_done: called premature == 0 * Connection #0 to host left intact
Testing without the annotation set:
curl -v -H "Host: whitelist.test.net" <HOST-IP>/graph (out)* Trying <HOST-IP>... (out)* TCP_NODELAY set (out)* Connected to <HOST-IP> (<HOST-IP>) port 80 (#0) (out)> GET /graph HTTP/1.1 (out)> Host: whitelist.test.net (out)> User-Agent: curl/7.51.0 (out)> Accept: */* (out)> (out)< HTTP/1.1 200 OK (out)< Server: nginx/1.11.3 (out)< Date: Tue, 07 Feb 2017 09:49:01 GMT (out)< Content-Type: text/html; charset=utf-8 (out)< Transfer-Encoding: chunked (out)< Connection: keep-alive (out)* Curl_http_done: called premature == 0 (out)* Connection #0 to host <HOST-IP> left intact
Using this simple annotation, you're able to restrict who can access the applications in your kubernetes cluster by its IPs.