0

I have created an Nginx VirtualServer ingress resource which has multiple paths:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: web-server-ingress-vs
  namespace: web
spec:
  host: somehost.com
  upstreams:
  - name: web-test
    service: web-server-service
    port: 5000
  - name: another-one
    service: web-server-service
    port: 5000
  routes:
  - path: /
    action:
      pass: web-test
  - path: /test-another-one
    location-snippets: |
      deny all;
      allow some-subnet/24; # would like to allow only ingress from a certain ip range/address.
    action:
      pass: another-one

For certain paths, I would like to deny all access and only allow access from a certain IP address or range of addresses in the case of a local subnet. All addresses should be in CIDR notation.

Having "deny all" and then followed by an "allow" with some IP address/range (CIDR notation) like in the YAML above, it just denies all. I have tried adding in only the "allow" with a single IP address (CIDR notation /32) but it still allows access from other addresses.

Is this something that can be done or not? If it can, how? Thanks

Ingress controller = Nginx. All of this is running in AWS and Kubernetes.

glv
  • 994
  • 1
  • 1
  • 15
Gene Smith
  • 169
  • 12
  • You have to reverse statements under location snippets. first specify allow ip range and then specify deny all. Following is the statement from nginx documentation "The rules are processed in sequence, from top to bottom: if the first directive in the sequence is deny all, then all further allow directives have no effect. " – Nataraj Medayhal Mar 20 '23 at 11:34
  • @NatarajMedayhal Unfortunately no luckm swapping the statements does not work either. – Gene Smith Mar 20 '23 at 12:08
  • Kindly check the generated configuration of location snippets in (.conf) file which will have configuration mentioned in VirtualServer. Also snippets can be mentioned as either configmap or annotation. Details are in following link https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-snippets – Nataraj Medayhal Mar 20 '23 at 13:27
  • @NatarajMedayhal The location entries appear within the generated .conf file. – Gene Smith Mar 20 '23 at 22:08
  • Please check ingress controller pods logs when the configuration is applied. also the snippets are disable by default you can check details how to enable them https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-snippets/ – Nataraj Medayhal Mar 21 '23 at 03:14
  • @NatarajMedayhal The logs of the ingress controller looks good, there are not exceptions with applying the Nginx VirtualServer resources. I am able to also see both the allow and deny entry in the created ingress resource within the controller. Snippets have also been enabled using "-enable-snippets" on the ingress controller deployment – Gene Smith Mar 23 '23 at 08:08

0 Answers0