Restrict access to some Kubernetes services with a global IP whitelist

Question

TLDR: need an IP whitelist that is updated every five minutes to restrict access to services

Hy there

I'm currently migrating our VMs into two Kubernetes clusters (prod and dev). Till now we have managed the access to our system with network access policies that are updated every five minutes. Every environment had its own VM and thus the setup of policies was easy. Our hosting partner is Open Telekom Cloud (OTC).

Now with Kubernetes we run multiple environments on one cluster and network access policies would affect all hosted environments on the cluster.

The dev cluster hosts Preview, Dev1, Stage, ... Preview should have no access restrictions, all other environments should be limited by an IP whitelist.

1. Is it possible to keep an global ip whitelist, that is updated every five minutes, to limit access to some services? Are the updates distributed automatically?

2. Would I do the limiting in ingresses or should I use networkPolicies

3. Is there another way to achieve this?

Greetings from Munich

Edit: Thanks a lot to @harsh-manvar

His solutions will help a lot on basically every managed Kubernetes service. Sadly we are restricted to the one from Telekom DE (OTC CCE)

• NetworkPolicies can not block IPs there
• The Ingress Controller implementation of OTC does not allow IP whitelisting (or blacklisting). They are on it thought (should hopefully be delivered in late 2022)
• Load balancer blocking does not work either

We ended up with an Web Application Firewall (150€/month per domain) that forwards/blocks requests based on the IP.