Does/will the GCE ingress controller support whitelist-source-range?

[bowei]

From @nickform on April 6, 2017 12:11

Can anyone comment on when we will be able to use the 'whitelist-source-range' annotation with the GCE Ingress Controller? From Googling plus experimentation the answer is not "it works right now" but perhaps we've made a mistake? If not, is this something which might happen in future? Thanks!

Copied from original issue: kubernetes/ingress-nginx#566

[bowei]

From @nicksardo on April 6, 2017 17:59

The L7 Google Cloud Load Balancer does not currently have firewall rules for source IPs. I'll keep this open in case the load balancer supports it in the future.

[bowei]

From @albertsun on April 28, 2017 17:6

This would be extremely useful to have. @nicksardo is there an open issue somewhere for the L7 LB to support source IP firewall rules where we can track the status of it?

[bowei]

From @nicksardo on April 28, 2017 17:30

https://issuetracker.google.com/issues/35904903

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[mooperd]

Hi, what is the status of this issue? We'd like to be able to control access to specific k8s services. This seems like the most likely way of handling it.

Found this issue in google issue tracker: https://issuetracker.google.com/issues/35904903

[tonglil]

It is still relevant. The bug tracker also receives +1s on a regular basis.

[ghost]

Now that we have Cloud Armor and can restrict ingress based on IP, it would be interesting to incorporate Cloud Armor rules in ingress annotations.

Is there a plan for that?

[rramkumar1]

@Slabber Cloud Armor integration with ingress-gce will be coming very soon :)

[nicksardo]

/close
Now available in latest version of ingress-gce.

[cfebs]

@nicksardo - is a specific k8s version required to use the whitelist annotation? Or will it just start working for gce ingress?

[nickform]

This is great news - thanks to everyone who has tracked and worked on this.

[guilhermeShima]

Anyone was able to use the whitelist annotation in GCE ?

[rramkumar1]

Documentation for all our new feature support (IAP, CDN, CloudArmor) is available at https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig.

I will work on a PR to add this same documentation to the README here.

[mnemitz]

I know this is closed, but just wondering, is there any plan to support a whitelist/CloudArmor annotation at the ingress resource level?

[rramkumar1]

@mnemitz See https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig

[vTNT]

It's not a very good plan. It's too complicated