Whitelist IPs on GCP Kubernetes Ingress
What ? — Allow traffic from specified external public IP address(es) into a Kubernetes cluster on Google Cloud Platform (GCP).
Why? — Security !
How ? — GCP’s firewall rules cannot be applied on the Global Load Balancer it attaches with an Ingress that is created on GKE. If you want to restrict access to only specific IP addresses (for example : users connecting via VPN, in this case the VPN gateway’s IP address) then there is no out of the box solution on GCP, especially GKE.
Nginx and Http header “x-forwarded-for” to the rescue
If you are using GKE, chances are that you have a Microservices architecture and you are using an API Gateway, chances are that Nginx is the API Gateway. All that needs to be done is to configure nginx to only allow requests that have the following IPs
user.ext.static.ip → Public IP of the client
app.global.static.ip → Global static IP assigned to Ingress
The http header extraction and filtering logic is written in Lua. Here’s what the nginx.conf looks like
And the validate ip lua script
The lua script requires the cjson library
