-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IP Whitelist support for TCP/UDP services #3202
Comments
/close |
@aledbf: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@ElvinEfendi @aledbf Since it seems the TCP/UDP ingress is here to stay, can this be reopened if this functionality is not yet present? |
@ElvinEfendi @aledbf Our use case: We have services that are publicly accessible and others that should only be accessible from within the office.
To avoid creating an additional load balancer per namespace to expose the private services, we have created a shared load balancer/nginx-ingress-controller which serves private TCP services across namespaces. I think using the same load balancer/nginx-ingress-controller to serve both private and public services within the namespace would make the architecture cleaner and easier to understand. |
@michaelgeorgeattard Were you able to whitelist ips for the tcp services? What is the backend of those services? Thanks |
@tusciucalecs IPs are not whitelisted for TCP services, an alternative would be to create a separate firewall for the TCP services and whitelist the IPs at the firewall level. |
@michaelgeorgeattard Is the shared loadbalancer an internal one and is it using Network loadbalancer? I have the same use case but I am using the classic loadbalancer, and nginx did not update those additional ports to the ELB nor security groups. |
|
Is there any update on this issue? Was this solved? |
anyone happen to have a config example for configuring nginx ingress to pass these values to the nginx configuration? |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): tcp, whitelist
Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
At the moment, it seems that there is no way to specify an IP whitelist for TCP/UDP services described using the tcp/udp-configmap mechanism.
I've started looking at this and making modifications to the template to support creating the appopriate nginx config using the same whitelisting annotations as an HTTP or HTTPs endpoint. I can see how where the underlying platform (in my case an AKS Load Balancer) passes through the client IP as the source of the IP traffic, then a simple Allow/Deny approach will work, but where the Load Balancer doesn't pass through the source address in the IP traffic this won't work. Is that a problem?
The text was updated successfully, but these errors were encountered: