Hi @Dani3 ,
Let me address your concerns, one by one.
@Dani3 wrote:
I would like to know if it is possible to restrict the 0.0.0.0.0/0 rules that I have in my firewall for my k8s clusters, it turns out that when I installed the nginx ingress I got this message to fix the communication from outside and they could reach my applications.
Yes this is possible. You can restrict the 0.0.0.0/0 (any IP) rules in your firewall that allow access to your Kubernetes cluster when using Nginx Ingress.
You can enhance security by replacing the 0.0.0.0/0 rules in your firewall with more specific rules that only allow traffic from certain IP ranges. This way, you limit access to your Kubernetes cluster and Nginx Ingress controller to only those sources you trust, rather than leaving your cluster open to any IP.
@Dani3 wrote:
But I think having 0.0.0.0.0/0 is not the best practice, so I don't know if anyone knows what range I should put in there to avoid 0.0.0.0.0/0.
Using 0.0.0.0/0 (any IP) as a default rule is generally not considered a best practice for security reasons.
This will expose your infrastructure to security risks because you're allowing access to your resources from any source IP address.
I recommend implementing the principle of least privilege, which means granting only the minimum necessary access to resources. In the context of Kubernetes and network security, this translates to restricting access to trusted sources and specific IP ranges.
@Dani3 wrote:
Any suggestions? for example if the nginx ingress IP is X.X.X.X.X I should only have open the 0.0.0.0.0/0 to that IP so that from outside they could continue accessing, right? there is no way to avoid the 0.0.0.0.0/0? right?
Yes, you're on the right track. If you want to control who can use your Nginx Ingress controller's IP address but still let outside visitors access your services, try these steps:
1. Determine Nginx Ingress Controller IP
Find out the external IP address of your nginx Ingress controller. This IP address is typically associated with a LoadBalancer service that's provisioned by the cloud provider.
2. Update Ingress Whitelist
Configure your security groups or firewall rules (depending on your cloud provider or network setup) to allow incoming traffic only from the specific IP address of your nginx Ingress controller. This effectively restricts access to only that IP address while still allowing traffic from outside.
Let's say your nginx Ingress controller has an outside IP like x.x.x.x. You can set up your security rules so only x.x.x.x can get in, while everyone else is blocked. This means people outside can still use your services through the Ingress controller, but others won't be able to.
LinkedIn
Twitter
