Add IP allowlist to ingress-nginx in Kubernetes

Many applications running in Kubernetes should be exposed to the public internet where anyone can access them.  Some, however, should not be broadly accessible but still reachable by a small number of users/applications.  It's possible with the Ingress-Nginx ingress controller to configure an allowlist for specific or ranges of IP addresses that should have access to a given application.

Ingress-Nginx is a free kubernetes ingress controller which can be used to direct internet traffic to applications running in Kubernetes.  This should first be configured by following the installation guide.  Once that's complete, ingress resources can be set up to direct external traffic to your kubernetes pods.

Before setting up the allowlist, a list of IP addresses or IP address ranges must be created.  Users who need access to the application can find their IP address by googling "what's my IP" or there are numerous websites that will return the user's IP address.  Cloud providers and virtual networks allow for configuration of IP address ranges using CIDR notation, which can be easily located within the settings of the relevant cloud provider.

Adding the allowlist is fairly straightforward.  In the yaml file defining the ingress, metadata.annotations.nginx.ingress.kubernetes.io/whitelist-source-range should be set as a string of the acquired IP addresses in CIDR notation (this is simply appending /32 to the end of the IP address) and CIDR ranges mentioned earlier, separated by commas.  For example, if you have users with IP addresses 123.45.67.89 and 98.76.54.231 and a virtual network allocated the CIDR range of 10.10.10.0/24, the configuration would be:

Once that's in place, simply apply the ingress yaml file using the method appropriate to your Kubernetes cluster and it will update the configuration accordingly!  More information can be found here.