Search code examples
kuberneteskeycloakazure-aksnginx-ingress

How to restrict access to Keycloak admin console to a specific IP/IP range?


Is there any way to restrict the access to the keycloak admin console by IP / IP Range? I have deployed the Keycloak in Azure Kubernetes that uses Nginx Ingress controller. So, I tried to restrict as highlighted below

enter image description here

but it blocks everything. I would assume that Ingress receives the incoming request from the Azure Kubernetes Load balancer so it does not consider the client IP to allow access.

How do I restrict the access to the keycloak admin console by IP / IP Range?

Update#1: I believe that the above configuration to restrict the path by the IP / IP Range is effective expect that it redirects the coming request to a non-existing location

xxx.xxx.xxx.xxx - - [30/Aug/2023:15:42:25 +0000] "GET **/admin/** HTTP/2.0" 404 548 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36" 507 0.000 [-] [] - - - - bfbe1faa35dcc40e82e5e22bd557cf96

2023/08/30 15:42:25 [error] 1171#1171: *6809656 **"/usr/local/nginx/html/admin/index.html"** is not found (2: No such file or directory), client: 173.32.206.145, server: account.qa.oly.nova-x.co, request: "GET /admin/ HTTP/2.0", host: "xxxx"

I was expecting this to apply just the IP based filter but not change the existing behaviour.


Solution

  • You can use loadBalancerSourceRanges on the service as mentioned here.

    To restrict traffic for a certain path use location-snippet instead of server-snippet as detailed in this answer.