Kubernetes入口白名单IP路径 [英] Kubernetes Ingress Whitelist IP for path

问题描述

我知道我可以将整个入口对象的IP列入白名单，但是有没有一种方法可以将单个路径的IP列入白名单?例如，如果我只想允许从10.0.0.0/16访问/admin?

I know I can whitelist IPs for the entire ingress object, but is there a way to whitelist IPs for individual paths? For example, if I only want to allow /admin to be accessed from 10.0.0.0/16?

ingress.yml:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    #nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

推荐答案

如果您想将其拆分为两个Ingres，则如下例所示.第一个Ingress具有/admin路径和注释，第二个Ingress与其他paths受任何IP允许.

If you would like to split it two Ingres, it would look like example below. First Ingress with /admin path and annotation and second Ingress with others paths allowed by any IP.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-admin
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /admin
            backend:
              serviceName: api
              servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: frontend-all
  namespace: default
  labels:
    app: frontend
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
    - hosts:
        - frontend.example.com
      secretName: frontend-tls
  rules:
    - host: frontend.example.com
      http:
        paths:
          - path: /
            backend:
              serviceName: frontend
              servicePort: 80
          - path: /api
            backend:
              serviceName: api
              servicePort: 8000
          - path: /staticfiles
            backend:
              serviceName: api
              servicePort: 80

请记住，注释nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"将覆盖您的某些配置.如 Nginx文档:

Please keep in mind that annotation nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" will override some of your config. As mentioned in Nginx docs:

在Ingress规则中添加注释会覆盖所有全局限制.

Adding an annotation to an Ingress rule overrides any global restriction.

另一种选择是使用ConfigMap whitelist-source-range .就像此示例中提到的那样，您可以使用ngx_http_access_module.

Another option is to use ConfigMap whitelist-source-range. Like mentioned in this example, you can use ngx_http_access_module.

与Nginx配置一样，每个path均另存为

As in Nginx config, each path is saved as

location / {
  ...
}

location /api {
  ...
}

您可以在此处添加这些限制.下面的例子:

you can add thoses restrictions there. Below example:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

这篇关于Kubernetes入口白名单IP路径的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！