Support enabling GeoIP2 geofiltering on the NGINX ingress controller #1

Merged

irfan merged 9 commits from geoip into master 2026-03-03 12:36:09 +08:00

Conversation 0 Commits 9 Files changed 3 +62 -8

irfan commented 2026-03-03 12:25:33 +08:00

Owner

Copy link

Changes

• Added new boolean env var NGINX_GEOIP in ingress.sh script for enabling/disabling the aforementioned new feature
• Added geoip-values.yaml to ingress deps for use if enabled
• ATTN: Updated ingress deployment to set externalTrafficPolicy to Local by default (only necessary for geoip lookup, but should be a sane default so we have access to real client IPs)

Notes

• Use of this feature requires a per-ingress configuration (i.e. to set countries to allow) using the configuration-snippet annotation, which requires setting the controller's annotations-risk-level to Critical. This is technically risky, as it allows all sorts of annotations to be configured on an ingress, but for a single person/org tenant cluster, this risk should not be of a big concern. Reference: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/#annotations-scope-and-risk
• There may or may not be a functional 'impact' on setting externalTrafficPolicy to Local from its previous default value of Cluster. Reference: http://archive.today/2026.03.03-042921/https://medium.com/@zghanem/understanding-the-impact-of-externaltrafficpolicy-on-kubernetes-services-4f4426cb1246.

## Changes - Added new boolean env var `NGINX_GEOIP` in `ingress.sh` script for enabling/disabling the aforementioned new feature - Added `geoip-values.yaml` to ingress deps for use if enabled - ATTN: Updated ingress deployment to set `externalTrafficPolicy` to `Local` by default (only necessary for geoip lookup, but should be a sane default so we have access to real client IPs) ## Notes - Use of this feature requires a per-ingress configuration (i.e. to set countries to allow) using the `configuration-snippet` annotation, which requires setting the controller's `annotations-risk-level` to `Critical`. This is technically risky, as it allows all sorts of annotations to be configured on an ingress, but for a single person/org tenant cluster, this risk should not be of a big concern. Reference: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/#annotations-scope-and-risk - There may or may not be a functional 'impact' on setting `externalTrafficPolicy` to `Local` from its previous default value of `Cluster`. Reference: http://archive.today/2026.03.03-042921/https://medium.com/@zghanem/understanding-the-impact-of-externaltrafficpolicy-on-kubernetes-services-4f4426cb1246.

irfan added 9 commits 2026-03-03 12:25:35 +08:00

Add new NGINX_GEOIP env var option ... 09ad909a2b

For enabling/disabling geoip2 geofiltering

Supply geoip-values if NGINX_GEOIP set to true dedf972ecb

Add geoip values for ingress-nginx d9c60f1340

Add newline beb475f015

Set expected MaxMind edition ID 8e821711dc

Set externalTrafficPolicy to Local to preserve real client IPs ... 629ae75023

Necessary for geoip lookup since we require the client IP

Note required externalTrafficPolicy setting ... 2651664030

Commented since it's only for documentation, since we set that value explicitly anyway

Require setting annotations-risk-level to Critical ... d278238745

Since per-ingress configuration of countries to allow/block requires using configuration-snippet annotation which needs it

Ref: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations-risk/#annotations-scope-and-risk

Document new NGINX_GEOIP option b8bfc19ae1

irfan merged commit 55230233df into master 2026-03-03 12:36:09 +08:00

irfan deleted branch geoip 2026-03-03 12:36:10 +08:00

irfan referenced this pull request from a commit 2026-03-03 12:36:10 +08:00

Merge pull request 'Support enabling GeoIP2 geofiltering on the NGINX ingress controller' (#1) from geoip into master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

irfan/orked!1

No description provided.