Updated on 2026-06-18 GMT+08:00

Restricting Client IP Addresses for Nginx Ingresses

You can use the following annotations to restrict the client IP addresses that can access an Nginx ingress:

  • nginx.ingress.kubernetes.io/whitelist-source-range: Client IP addresses or IP address range that is allowed to access the Nginx ingress. The value can be IP addresses or CIDR blocks. Use commas (,) to separate multiple IP addresses.
  • nginx.ingress.kubernetes.io/denylist-source-range: Client IP addresses or IP address range that is denied to access the Nginx ingress. The value can be IP addresses or a CIDR blocks. Use commas (,) to separate multiple IP addresses.

Configuring IP Address Restrictions

  1. Use kubectl to access the cluster. For details, see Accessing a Cluster Using kubectl.
  2. Create a YAML file named ingress-test.yaml. The file name can be customized.

    vi ingress-test.yaml
    Example for allowing access:
    apiVersion: networking.k8s.io/v1
    kind: Ingress 
    metadata: 
      name: ingress-test
      namespace: default
      annotations:
        nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.0/24"  # Client IP address range that is allowed to access the Nginx ingress
    spec:
      rules:
        - host: ''
          http:
            paths:
              - path: /
                backend:
                  service:
                    name: <your_service_name>  # Replace it with your target Service name.
                    port:
                      number: <your_service_port>  # Replace it with your target Service port.
                property:
                  ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
                pathType: ImplementationSpecific
      ingressClassName: nginx

    Example for denying access:

    apiVersion: networking.k8s.io/v1
    kind: Ingress 
    metadata: 
      name: ingress-test
      namespace: default
      annotations:
        nginx.ingress.kubernetes.io/denylist-source-range: "10.0.0.0/24"  # Client IP address range that is denied to access the Nginx ingress
    spec:
      rules:
        - host: ''
          http:
            paths:
              - path: /
                backend:
                  service:
                    name: <your_service_name>  # Replace it with your target Service name.
                    port:
                      number: <your_service_port>  # Replace it with your target Service port.
                property:
                  ingress.beta.kubernetes.io/url-match-mode: STARTS_WITH
                pathType: ImplementationSpecific
      ingressClassName: nginx

  3. Create an ingress.

    kubectl create -f ingress-test.yaml

    If information similar to the following is displayed, the ingress has been created:

    ingress.networking.k8s.io/ingress-test created

  4. Check the created ingress.

    kubectl get ingress

    If information similar to the following is displayed, the ingress has been created:

    NAME          CLASS   HOSTS     ADDRESS          PORTS   AGE
    ingress-test  nginx   *         121.**.**.**     80      10s

  5. Test the access to the ingress. If you configure the example annotation that is used for allowing access, only IP addresses in 192.168.1.0/24 are allowed to access the Nginx ingress, and other IP addresses will receive 403 Forbidden. If you configure the example annotation that is used for denying access, IP addresses in 10.0.0.0/24 cannot access the Nginx ingress, and other IP addresses are allowed.