Kubernetes whitelist-source-range blocks instead of whitelist IP

Yes. However, I figured out by myself. Your service has to be enabled externalTrafficPolicy: Local. That means that the actual client IP should be used instead of the internal cluster IP.

To accomplish this run kubectl patch svc nginx-ingress-controller -p '{"spec":{"externalTrafficPolicy":"Local"}}'

Your nginx controller service has to be set as externalTrafficPolicy: Local. That means that the actual client IP will be used instead of cluster's internal IP.

You need to get the real service name from kubectl get svc command. The service is something like:

NAME                                          TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                      AGE
nobby-leopard-nginx-ingress-controller        LoadBalancer   10.0.139.37    40.83.166.29   80:31223/TCP,443:30766/TCP   2d

nobby-leopard-nginx-ingress-controller is the service name you want to use.

To finish this, run kubectl patch svc nobby-leopardnginx-ingress-controller -p '{"spec":{"externalTrafficPolicy":"Local"}}'

When you setting up a new nginx controller, you can use the command below:

helm install stable/nginx-ingress \
  --namespace kube-system \
  --set controller.service.externalTrafficPolicy=Local`

to have a nginx ingress controller accept whitelist after installing.

Kubernetes whitelist-source-range blocks instead of whitelist IP

Tags:

Nginx

Google Compute Engine

Kubernetes

Related

Recent Posts