




























NGINX Ingress Controller lets you define IP-based access rules once in a Policy resource and apply them consistently across your Ingress traffic paths.
Across this blog, we’re focused on:
Ingress.Many teams manage IP restrictions through cloud firewalls or raw NGINX config snippets and quickly end up with drift. Using a dedicated Policy for access control gives you:
At a high level:
Policy resource with spec.accessControl.Ingress via the nginx.org/policies annotation.allow/deny directives. Non-matching requests receive a 403 Forbidden response.An allow policy permits only the listed CIDR ranges and rejects everything else:
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: webapp-policy
spec:
accessControl:
allow:
- 10.0.0.0/8
A deny policy blocks the listed ranges and permits everything else:
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: webapp-policy-deny
spec:
accessControl:
deny:
- 203.0.113.0/24
Reference the policy in the nginx.org/policies annotation:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
nginx.org/policies: "webapp-policy"
spec:
ingressClassName: nginx
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80
Multiple policies can be comma-separated:
annotations: nginx.org/policies: "webapp-policy, webapp-policy-deny"
Important behavior to remember:
Ingress resources for each path (see below).When different routes need different access rules, split them into separate Ingress resources. NGINX Ingress Controller merges them into a single configuration.
Locked-down admin route:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: admin-ingress
annotations:
nginx.org/policies: "webapp-policy"
spec:
ingressClassName: nginx
rules:
- host: cafe.example.com
http:
paths:
- path: /tea
pathType: Prefix
backend:
service:
name: tea-svc
port:
number: 80
Public storefront with no policy:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: storefront-ingress
spec:
ingressClassName: nginx
rules:
- host: cafe.example.com
http:
paths:
- path: /coffee
pathType: Prefix
backend:
service:
name: coffee-svc
port:
number: 80
A common production pattern combines multiple CIDR ranges to restrict an internal dashboard to corporate and VPN traffic only:
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: admin-only
namespace: platform
spec:
accessControl:
allow:
- 203.0.113.0/24 # Corporate office network
- 198.51.100.10/32 # VPN exit node 1
- 198.51.100.11/32 # VPN exit node 2
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: admin-dashboard
namespace: platform
annotations:
nginx.org/policies: "admin-only"
spec:
ingressClassName: nginx
rules:
- host: admin.internal.yourcompany.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: admin-dashboard-svc
port:
number: 8080
This gives you defense in depth: blocked traffic never reaches your application containers, regardless of whether an attacker has valid credentials. Use this same pattern for staging environments, partner webhook endpoints, or per-tenant API restrictions.
Before rollout, validate these explicitly:
403 and never reach backend pods.X-Forwarded-For or PROXY protocol so it sees the real client IP./8 covers millions of IPs; prefer /24 or /32 in production.Access Control operates at the Ingress edge, so keep it tight:
/32 for known single-IP sources like VPN exit nodes.You can find complete working examples on GitHub and more documentation in our docs:

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。