2

I'm using GKE and want to restrict my external load balancers from unwanted traffic. I found two options that problematic for me:

  1. Nginx plus + maxmind solution for geo filtering - I'm looking for an open source solution (and the maxmind lite is not available anymore).
  2. GKE Ingress + Cloud armor, but I'm using nginx and other load balancers and not the GKE Ingress.

I'm looking for a better solution, maybe in a global kubernetes level implemented as a daemonset or a regular deployment proxy.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
Idan
  • 143
  • 8

1 Answers1

2

i would suggest checking out : https://lab.wallarm.com/how-to-protect-your-kubernetes-cluster-with-wallarm-configuration-and-finetuning-part-2-of-3/

And nice Wallarm WAF ingress controller : https://github.com/wallarm/ingress

With Nginx ingress, there are options to increase to security

ModSecurity at application level metadata and proxy payload size management.

For DDoS protection, you can use the rate-limiting and connection handling option

nginx.ingress.kubernetes.io/limit-connections: '2'
nginx.ingress.kubernetes.io/limit-rpm: '60'

you can whitelist the List of IPs also.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • this can be helpful, but what about filtering in a country level? If my application runs on US I would like only IPs from US could access it, which is the solution of maxmind. Do you familiar with a free alternative for countries IP ranges databases? – Idan Oct 14 '21 at 08:05