white listing

[ssinhas]

we are working on GCP.

We have three namespaces. Jenkins is running on Jenkins namespace.
We are running nginx ingress controller in "dev" namespace.

We created a ingress rule for jenkins which has
ingress.kubernetes.io/whitelist-source-range: 1.2.3.4/32

But this whitelisting doesn't seem like working.

Do I need nginx ingress controlleron jenkins namespace ?
I tried this but doesn't seem like it works.

If I recreate Jenkins ingress, do i have to recreate ingress controller pod again? I did try delete/ create nginx ingress controller couple of times.

How I can make whitelisting work?

I really appreciate any help. I am totally stuck

We are using NGINX: 0.9.0-beta.13 image

[hzxuzhonghu]

Look into nginx.conf to see if whitelist configured

[ssinhas]

No I don't see it.. I thought ingress rule will update that.

[egeland]

We're seeing similar issue on beta.14 - we were getting real source IPs in the logs on beta.11, and on .14, we're getting in-cluster IPs.
We're rolling back to .11 to confirm.

[aledbf]

Closing. If you are running in GCE you need to add the annotation service.beta.kubernetes.io/external-traffic: OnlyLocal in the service to get the real IP address.

Also please update to NGINX: 0.9.0-beta.15

[ssinhas]

looks like this solution has been deprecated https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer
Newer Kubernetes versions may stop supporting these after v1.7.

[aledbf]

@ssinhas if you are using k8s > 1.7 you can use the service fields https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

[ssinhas]

can we please change the status to open..
here is my svc file

kind: Service
apiVersion: v1
metadata:
name: jenkins-ui
namespace: jenkins
spec:
type: NodePort
externalTrafficPolicy: Local
selector:
app: master
ports:
- protocol: TCP
port: 8080
targetPort: 8080
name: ui

here is my ingress file
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: jenkins
namespace: jenkins
annotations:
kubernetes.io/ingress.allow-http: "false"
ingress.kubernetes.io/whitelist-source-range: 96.72.176.237/32
spec:
tls:

• secretName: jenkins-tls
  backend:
  serviceName: jenkins-ui
  servicePort: 8080

upgrade nginx controller 0.9.0-beta.15

whitelisting still don't work

[aledbf]

@ssinhas please post the ingress pod logs

[aledbf]

@ssinhas kubernetes.io/ingress.allow-http: "false" is not supported in the nginx ingress controller

[ssinhas]

it does and it works.. If i access http://...., it does 404 error...

nginx controller logs shows useless info

I1011 22:30:34.176755 5 controller.go:304] backend reload required
I1011 22:30:34.249270 5 controller.go:313] ingress backend successfully reloaded...
I1011 22:31:26.629438 5 status.go:362] updating Ingress jenkins/jenkins status to [{35.202.164.214 }]
I1011 22:31:26.629760 5 status.go:362] updating Ingress lmms-dev/frontend-srv status to [{35.202.164.214 }]
I1011 22:31:26.637448 5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"jenkins", Name:"jenkins", UID:"62f2dc3a-aded-11e7-86cc-42010a800fe9", APIVersion:"extensions", ResourceVersion:"160311", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress jenkins/jenkins
I1011 22:31:26.639081 5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"lmms-dev", Name:"frontend-srv", UID:"b3d2107c-aece-11e7-86cc-42010a800fe9", APIVersion:"extensions", ResourceVersion:"160312", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress lmms-dev/frontend-srv
I1011 22:31:29.435068 5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"jenkins", Name:"jenkins", UID:"62f2dc3a-aded-11e7-86cc-42010a800fe9", APIVersion:"extensions", ResourceVersion:"160317", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress jenkins/jenkins
I1011 22:31:30.846694 5 controller.go:304] backend reload required
I1011 22:31:30.924577 5 controller.go:313] ingress backend successfully reloaded...
I1011 22:31:32.639500 5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"lmms-dev", Name:"frontend-srv", UID:"b3d2107c-aece-11e7-86cc-42010a800fe9", APIVersion:"extensions", ResourceVersion:"160321", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress lmms-dev/frontend-srv
I1011 22:31:34.177172 5 controller.go:304] backend reload required
I1011 22:31:34.248345 5 controller.go:313] ingress backend successfully reloaded..

[aledbf]

@ssinhas please make some requests to 35.202.164.214. That should appear in the log.
(I want to see the client IP address)

[ssinhas]

i am not sure what service is running 35.202.164.214

updating Ingress jenkins/jenkins status to [{35.202.164.214 }]

what does it even mean?

[aledbf]

what does it even mean?

That is the IP of the node where the pod of the ingress controller it's running.

[aledbf]

externalTrafficPolicy: Local

That must be used in the ingress service, not in the jenkins one.

[ssinhas]

I did that one too.. still doesn't work

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close