Nginx 路径的Kubernetes入口白名单IP
我知道我可以将整个入口对象的IP列为白名单,但是有没有办法将各个路径的IP列为白名单?例如,如果我只想允许从Nginx 路径的Kubernetes入口白名单IP,nginx,kubernetes,kubernetes-ingress,Nginx,Kubernetes,Kubernetes Ingress,我知道我可以将整个入口对象的IP列为白名单,但是有没有办法将各个路径的IP列为白名单?例如,如果我只想允许从10.0.0.0/16访问/admin ingres.yml: --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: frontend namespace: default labels: app: frontend annotations: kubernetes.io/ingres
10.0.0.0/16
访问/admin
ingres.yml
:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /admin
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
你可以试着把入口分成几个部分。我创建了两个入口,都有不同的路径,您可以更改白名单IP 1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend-two
servicePort: 80
2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend-two
servicePort: 80
如果您想将其拆分为两个入口,它将如下面的示例所示。第一个
入口
带有/admin
路径和注释,第二个入口
带有任何IP
允许的其他路径
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-admin
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /admin
backend:
serviceName: api
servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-all
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
请记住注释nginx.ingres.kubernetes.io/whitelist-source-range:“10.0.0.0/16”
将覆盖一些配置。如中所述:
向入口规则添加注释将覆盖任何全局限制
另一个选项是使用ConfigMap
。如中所述,您可以使用ngx\u http\u访问\u模块
与Nginx config中一样,每个路径都保存为
location / {
...
}
location /api {
...
}
您可以在那里添加这些限制。以下示例:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
你解决问题了吗?从前面的答案中,我想不出如何使用这个选项
另一个选项是使用ConfigMap白名单源范围。喜欢
本例中提到,您可以使用ngx_http_访问_模块
你能举个例子吗
分为几个入口-在某些情况下非常不适合=(
我刚刚找到了另一个解决方案(但我认为前面答案中的解决方案更漂亮):
您可以使用注释nginx.ingres.kubernetes.io/server snippet和写入,就像直接在nginx.conf中一样
我发现最好的选择就是使用两个不同的入口清单,尽管在使用了两个入口后我没有时间做太多研究。