Equivalent to nginx.ingress.kubernetes.io/whitelist-source-range

[JFrandon]

Hello.

I used to use the nginx-ingress. (Thank you NGINX for being so reliable for so long btw).

An annotation I used to use quite often on ingresses was nginx.ingress.kubernetes.io/whitelist-source-range

I am looking to port to Gateway Fabric. Is there a similar configuration or annotation available?

Thank you

[ciarams87]

Hi @JFrandon!

Thanks so much for your kind words and your interest in our project!

NGINX Gateway Fabric does not have a built-in equivalent to the ingress-nginx nginx.ingress.kubernetes.io/whitelist-source-range annotation. However, the same functionality can be achieved using SnippetsFilter (or, as of our 2.4 release, SnippetsPolicy), which allows you to inject raw NGINX configuration directives (such as allow and deny) into the generated NGINX config.

Route-Level IP Whitelisting

1. Create the SnippetsFilter

apiVersion: gateway.nginx.org/v1alpha1
kind: SnippetsFilter
metadata:
  name: ip-whitelist
spec:
  snippets:
    - context: http.server.location
      value: |
        allow 10.0.0.0/8;
        allow 192.168.1.0/24;
        deny all;

2. Reference it in your HTTPRoute

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
spec:
  parentRefs:
    - name: gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.nginx.org
            kind: SnippetsFilter
            name: ip-whitelist
      backendRefs:
        - name: my-service
          port: 80

Context Options

You can place allow/deny directives in different snippet contexts depending on the desired scope:

Context	Scope
http.server.location	Applies to the specific route rule the filter is attached to
http.server	Applies to the entire virtual host / server block
http	Applies globally across all server blocks

Gateway-Wide IP Whitelisting (Coming in v2.4.0)

If you want to apply IP restrictions across an entire Gateway rather than individual routes, you can use SnippetsPolicy instead:

apiVersion: gateway.nginx.org/v1alpha1
kind: SnippetsPolicy
metadata:
  name: gateway-ip-whitelist
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: my-gateway
  snippets:
    - context: http.server
      value: |
        allow 10.0.0.0/8;
        deny all;

Notes

• NGINX processes allow and deny directives in order; the first match wins.
• deny all; at the end acts as a default-deny, only permitting the CIDRs listed above it.
• Only one snippet per context is allowed per SnippetsFilter resource.

[ciarams87]

Just to add to this, we have native access control targeted for our v2.6.0 milestone, so stay tuned!

[JFrandon]

Thank you so much.

Really looking forward to v2.6.0 then 😄