Kong — IP Restriction plugin within kubernetes

You’d think just adding the plugin would work out of the box. How I was mistaken…

This is a quick write up on my experience and isn’t intended as a tutorial on how to setup kubernetes/kong. This is for individuals who have setup kong and a couple of plugins and gone to setup the IP Restriction plugin and got p****d that it didn’t allow their ip through.

By default when when you setup the db-less cluster: https://bit.ly/kong-ingress-dbless the setup doesn’t contain the configuration to enable ip-whitlisting via kong or any other means such as:

nginx.ingress.kubernetes.io/whitelist-source-range: “999.999.999.999/32”

Why you ask?

Well, by default when you make a request to the uri such as:

curl -i https://example.com/foo

or if you’ve followed the kong ‘echo’ example: https://docs.konghq.com/kubernetes-ingress-controller/1.1.x/guides/getting-started/

curl -i $PROXY_IP/foo

It uses the internal clusters IP by default! so, in layman terms your ip “isn’t picked up”.

To enable ip-restriction within your kong api gateway. You need to do the following.

1. Add externalTrafficPolicy: Local —within the manifest.

externalTrafficPolicy: Local

externalTrafficPolicy: explicitly use the client ip by setting the value to “local”. Instead of using the cluster ip.

2. Within the env section add:

- name:  REAL_IP_HEADER
value: X-Forwarded-For
- name: KONG_TRUSTED_IPS
value: 0.0.0.0/0,::/0
- name: KONG_REAL_IP_RECURSIVE
value: "on"

REAL_IP_HEADER: The X-Forward-For header is added by an ALB “Application Load Balancer”

KONG_TRUSTED_IPS:I generally use: 0.0.0.0/0,::/0 — which means trust all ips within the X-Forwarded-For values. but if you know the ip that will be sending traffic with the X-Forwarded-For header value such as the ALB, you can use that instead.

In my case trusting all ips is fine. As I’m opening up specific routes that have rate limiting by ip, caching, request size limits as well as bot detection. I’m also whitelisting ips, allowing me to be in control on who can and who can’t access my routes.

KONG_REAL_IP_RECURSIVE: when “on” works with the X-forwarded-for header coming into kong. The header is a list of ips, the recursive directory iterates through the ips and gets the origin IP .