Search code examples
kubernetes-ingressnginx-ingresswhitelist

How to use nginx ingress controller, want to allow application only for VPN user

`my company using kubenetes cluster, i want to restrict one app like kafka for internal user (VPN) user only, right now its open to all. how i can restrict it to VPN user only.here is my ingress ruleneed help and guidance that how i can restrict it to vpn user. and current i am putting VPN ip, and my company using Load balance also. which ip i should whitelist. i tried with whitelisting annotation but its not working

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kafdrop-ingress
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/whitelist-source-range: X.X.X.X/32   
spec:
  tls:
  - hosts:
    - kafka-abc.xyz
    secretName: kafdrop-tls
  rules:
  - host: kafka-abc.xyz
    http:
        paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: kafdrop
              port:
                number: 9000
Solution

  • You have to enable proxy protocol in ingress-nginx-controller kubernetes service which allows the load balancer to forward client connection information (such as client IP addresses) to your nodes.

    Add below annotations in ingress-nginx-controller service

    apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"   <------ This config
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.7.1
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  externalTrafficPolicy: Local

    Secondly you will also need to enable proxy protocol in ingress-nginx-controller kubernetes configmap. This will help to receive client connection (real IP address) information passed through proxy servers and load balancers such as HAProxy.

    apiVersion: v1
data:
  allow-snippet-annotations: "true"
  use-proxy-protocol: "true"        <--------------- This config
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
    app.kubernetes.io/version: 1.7.1
name: ingress-nginx-controller
namespace: ingress-nginx