Nginx 路径的Kubernetes入口白名单IP

我知道我可以将整个入口对象的IP列为白名单，但是有没有办法将各个路径的IP列为白名单？例如，如果我只想允许从

10.0.0.0/16

访问

/admin

ingres.yml

：

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

---

你可以试着把入口分成几个部分。我创建了两个入口，都有不同的路径，您可以更改白名单IP

1：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend-two
              servicePort: 80

2：

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend-two
              servicePort: 80

---

如果您想将其拆分为两个入口，它将如下面的示例所示。第一个

入口

带有

/admin

路径和注释，第二个

入口

带有任何

IP

允许的其他

路径

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-admin
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-all
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

请记住注释
nginx.ingres.kubernetes.io/whitelist-source-range:“10.0.0.0/16”
将覆盖一些配置。如中所述：

向入口规则添加注释将覆盖任何全局限制



另一个选项是使用
ConfigMap
。如中所述，您可以使用
ngx\u http\u访问\u模块

与Nginx config中一样，每个
路径都保存为

location / {
  ...
}

location /api {
  ...
}

您可以在那里添加这些限制。以下示例：

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

你解决问题了吗？从前面的答案中，我想不出如何使用这个选项

另一个选项是使用ConfigMap白名单源范围。喜欢
本例中提到，您可以使用ngx_http_访问_模块

你能举个例子吗

分为几个入口-在某些情况下非常不适合=(


我刚刚找到了另一个解决方案（但我认为前面答案中的解决方案更漂亮）：
您可以使用注释nginx.ingres.kubernetes.io/server snippet和写入，就像直接在nginx.conf中一样


我发现最好的选择就是使用两个不同的入口清单，尽管在使用了两个入口后我没有时间做太多研究。