Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IP Whitelist support for TCP/UDP services #3202

Closed
beezly opened this issue Oct 8, 2018 · 11 comments
Closed

IP Whitelist support for TCP/UDP services #3202

beezly opened this issue Oct 8, 2018 · 11 comments

Comments

@beezly
Copy link

beezly commented Oct 8, 2018

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): tcp, whitelist


Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST

At the moment, it seems that there is no way to specify an IP whitelist for TCP/UDP services described using the tcp/udp-configmap mechanism.

I've started looking at this and making modifications to the template to support creating the appopriate nginx config using the same whitelisting annotations as an HTTP or HTTPs endpoint. I can see how where the underlying platform (in my case an AKS Load Balancer) passes through the client IP as the source of the IP traffic, then a simple Allow/Deny approach will work, but where the Load Balancer doesn't pass through the source address in the IP traffic this won't work. Is that a problem?

@ElvinEfendi
Copy link
Member

@beezly ingress-nginx won't be supporting TCP/UDP services at all starting with coming version #3197

@aledbf
Copy link
Member

aledbf commented Oct 8, 2018

/close

@k8s-ci-robot
Copy link
Contributor

@aledbf: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wouterh-dev
Copy link

@ElvinEfendi @aledbf Since it seems the TCP/UDP ingress is here to stay, can this be reopened if this functionality is not yet present?

@michaelgeorgeattard
Copy link

michaelgeorgeattard commented Apr 1, 2019

@ElvinEfendi @aledbf Our use case:

We have services that are publicly accessible and others that should only be accessible from within the office.

  • The public services are HTTP services having corresponding ingress resources
  • The private services are exposed as TCP services

To avoid creating an additional load balancer per namespace to expose the private services, we have created a shared load balancer/nginx-ingress-controller which serves private TCP services across namespaces.

I think using the same load balancer/nginx-ingress-controller to serve both private and public services within the namespace would make the architecture cleaner and easier to understand.

@tusciucalecs
Copy link

@michaelgeorgeattard Were you able to whitelist ips for the tcp services? What is the backend of those services? Thanks
Up.

@sadjunky
Copy link

@tusciucalecs IPs are not whitelisted for TCP services, an alternative would be to create a separate firewall for the TCP services and whitelist the IPs at the firewall level.

@bbhenry
Copy link

bbhenry commented Aug 11, 2021

@michaelgeorgeattard Is the shared loadbalancer an internal one and is it using Network loadbalancer? I have the same use case but I am using the classic loadbalancer, and nginx did not update those additional ports to the ELB nor security groups.

@jackivanov
Copy link
Contributor

jackivanov commented May 2, 2022

@hostmit
Copy link

hostmit commented May 22, 2023

Is there any update on this issue? Was this solved?

@muscovitebob
Copy link

anyone happen to have a config example for configuring nginx ingress to pass these values to the nginx configuration?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests