ingress nginx whitelist-source-range with L7 Load Balancing (X-Forwarded-For)

simple diagram

1. Update config map: ingress-nginx-controller

$ kubectl edit cm -n ingress-nginx ingress-nginx-controller

add below setting:

enable-real-ip: "true"
forwarded-for-header: X-Forwarded-For
proxy-real-ip-cidr: 100.0.0.0/8 # Load Balancer CIDR

2. Update ingress annotation

nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.31.0/24, 192.168.41.0/24

Result:

client A: ip 192.168.31.54 = Allow

client B: ip 10.11.15.110 = Deny

That’s all