Can I limit source IP to a GCP Load Balancer created by Ingress

Question

I have a Kubernetes 1.4.5 cluster running on GKE that I would like to put into test. It accepts HTTPS using an Ingress as below

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: keycloak-ingress
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    #kubernetes.io/ingress.class: "gce"
spec:
  tls:
  - secretName: mysecret
  backend:
    serviceName: keycloak-https-service
    servicePort: 443

Whilst in test, I want to limit the source IPs that can access my cluster. Because the Load Balancer converts the source IP of all incoming traffic into local IP addresses, the Google Cloud firewall cannot limit this traffic. Is there a way I can limit traffic going into the load balancer?

I understand this is strictly an GCE question, but there may be a solution that Kubernetes may offer.

Prashanth B Prashanth B · Accepted Answer · 2016-11-17T19:05:14

You're looking at a pipeline:

GCE L7 LB -> vm:nodePort -> pods

The traffic going:

GCE L7 LB -> your vms

should come from 130.211.0.0/22 as mentioned in https://cloud.google.com/compute/docs/load-balancing/http/#fundamentals. You should already have a firewall rule for that. The traffic going:

vms -> containers

should come from your vm ips. You can't regulate who talks the the lb, you can regulate who talks to the nodes.

Unfortunately because of the described situation, this doesn't work for HTTP LB. It will work for L3/L4 LB, because you get the source ip of your actual client in the packet that ends up at the vm: http://kubernetes.io/docs/user-guide/load-balancer/#annotation-to-modify-the-loadbalancer-behavior-for-preservation-of-source-ip

Can I limit source IP to a GCP Load Balancer created by Ingress

2 Answers