尝试使用tls设置入口并仅在GKE上开放某些IP [英] Trying to set up an ingress with tls and open to some IPs only on GKE
问题描述
我在设置仅对某些特定IP开放的入口时遇到了麻烦,检查了文档,尝试了很多工作,并且源外的IP仍然可以访问。那是使用nginx的高山上的Zabbix Web界面,在节点端口80上设置服务,然后使用入口在GCP上设置负载均衡器,一切正常,Web界面运行良好,但是如何使它可访问仅适用于所需的IP?
我的防火墙规则还可以,并且只能通过负载平衡器IP进行访问
I'm having trouble setting up an ingress open only to some specific IPs, checked docs, tried a lot of stuff and an IP out of the source keep accessing. that's a Zabbix web interface on an alpine with nginx, set up a service on node-port 80 then used an ingress to set up a loadbalancer on GCP, it's all working, the web interface is working fine, but how can I make it accessible only to desired IPs? my firewall rules are ok and it's only accessible through load balancer IP
此外,我为此部署有一个特定的命名空间。
Also, I have a specific namespace for this deploy.
集群版本 1.11.5-gke.5
EDIT 我正在使用GKE标准入口GLBC
Cluster version 1.11.5-gke.5
EDIT i'm using GKE standard ingress GLBC
我的模板配置如下,有人可以帮助我启发丢失的内容:
My template is config as follow can someone help enlighten me on what is missing:
apiVersion: v1
kind: ReplicationController
metadata:
name: zabbix-web
namespace: zabbix-prod
labels:
app: zabbix
tier: frontend
spec:
replicas: 1
template:
metadata:
labels:
name: zabbix-web
app: zabbix
spec:
volumes:
- name: cloudsql-instance-credentials
secret:
defaultMode: 420
secretName: cloudsql-instance-credentials
containers:
- command:
- /cloud_sql_proxy
- -instances=<conection>
- -credential_file=/secrets/cloudsql/credentials.json
image: gcr.io/cloudsql-docker/gce-proxy:1.11
imagePullPolicy: IfNotPresent
name: cloudsql-proxy
resources: {}
securityContext:
allowPrivilegeEscalation: false
runAsUser: 2
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /secrets/cloudsql
name: credentials
readOnly: true
- name: zabbix-web
image: zabbix/zabbix-web-nginx-mysql:alpine-3.2-latest
ports:
- containerPort: 80
env:
- name: MYSQL_USER
valueFrom:
secretKeyRef:
key: <user>
name: <user>
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
key: <pass>
name: <pass>
- name: DB_SERVER_HOST
value: 127.0.0.1
- name: MYSQL_DATABASE
value: <db>
- name: ZBX_SERVER_HOST
value: <db>
readinessProbe:
failureThreshold: 3
httpGet:
path: /index.php
port: 80
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
name: "zabbix-web-service"
namespace: "zabbix-prod"
labels:
app: zabbix
spec:
ports:
- port: 80
targetPort: 80
selector:
name: "zabbix-web"
type: "NodePort"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: zabbix-web-ingress
namespace: zabbix-prod
annotations:
ingress.kubernetes.io/service.spec.externalTrafficPolicy: local
ingress.kubernetes.io/whitelist-source-range: <xxx.xxx.xxx.xxx/32>
spec:
tls:
- secretName: <tls-cert>
backend:
serviceName: zabbix-web-service
servicePort: 80
推荐答案
您可以通过配置Ingress和Cloud Armour :
切换到项目:
gcloud config set project $PROJECT
创建策略:
gcloud compute security-policies create $POLICY_NAME --description "whitelisting"
将默认策略更改为拒绝:
Change default policy to deny:
gcloud compute security-policies rules update 2147483647 --action=deny-403 \
--security-policy $POLICY_NAME
比默认白名单的优先级低,您要白名单的所有IP:
On lower priority than the default whitelist all IPs you want to whitelist:
gcloud compute security-policies rules create 2 \
--action allow \
--security-policy $POLICY_NAME \
--description "allow friends" \
--src-ip-ranges "93.184.17.0/24,151.101.1.69/32"
每个范围最多十个。
请注意,您需要有效的CIDR范围,为此您可以使用 CIDR到IP范围-> IP范围到CIDR 。
Note you need valid CIDR ranges, for that you can use CIDR to IP Range -> IP Range to CIDR.
按以下方式查看策略:
gcloud compute security-policies describe $POLICY_NAME
丢弃条目:
gcloud compute security-policies rules delete $PRIORITY --security-policy $POLICY_NAME
或完整策略:
gcloud compute security-policies delete $POLICY_NAME
创建 BackendConfig :
# File backendconfig.yaml:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
namespace: <namespace>
name: <name>
spec:
securityPolicy:
name: $POLICY_NAME
$ kubectl apply -f backendconfig.yaml
backendconfig.cloud.google.com/backendconfig-name created
将BackendConfig添加到服务:
Add the BackendConfig to the Service:
metadata:
namespace: <namespace>
name: <service-name>
labels:
app: my-app
annotations:
cloud.google.com/backend-config: '{"ports": {"80":"backendconfig-name"}}'
spec:
type: NodePort
selector:
app: hello-app
ports:
- port: 80
protocol: TCP
targetPort: 8080
使用正确的选择器并指向服务的接收端口
Use the right selectors and point the receiving port of the Service to the BackendConfig created earlier.
现在Cloud Armor会将策略添加到GKE服务。
Now Cloud Armour will add the policy to the GKE service.
在 https://console.cloud.google.com/net-security/securitypolicies (选择<$ c $后c> $ PROJECT )。
这篇关于尝试使用tls设置入口并仅在GKE上开放某些IP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!