我知道我可以将整个入口对象的IP列入白名单,但有没有办法将单个路径的IP列入黑名单?例如,如果我只想允许从10.0.0.0/16访问/admin?
ingress.yml:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /admin
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
如果您想将其拆分为两个Ingres,它看起来像下面的示例。第一个Ingress具有/admin路径和注释,第二个Ingress具有任何IP允许的其他paths。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-admin
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /admin
backend:
serviceName: api
servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-all
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
请记住,注释nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"将覆盖您的一些配置。如Nginx文档中所述:
向Ingress规则添加注释将覆盖任何全局限制。
另一个选项是使用ConfigMap白名单源范围。如本例中所述,您可以使用ngx_http_access_module。
与Nginx配置一样,每个path都保存为
location / {
...
}
location /api {
...
}
你可以在那里添加这些限制。以下示例:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
您可以尝试分部分设计入口。我创建了两个入口,都有不同的路径,你可以更改白名单IP
1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend-two
servicePort: 80
您解决了这个问题吗?我不知道,如何使用这个选项,从以前的答案
另一个选项是使用ConfigMap白名单源范围。喜欢本例中提到,您可以使用ngx_http_access_module
你能举个例子吗?
分成几个凹陷-在某些情况下非常不合适=(
我刚刚找到了另一个解决方案(但我认为之前的解决方案更漂亮(:您可以使用注释nginx.ingress.kubernetes.io/server snippet并进行编写,就像直接在nginx.conf 中一样
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-摘录
https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/advanced-configuration-with-annotations/