如何在kubernetes nginx入口控制器中仅将一个路径列入白名单 [英] How to whitelist only one path in kubernetes nginx ingress controller

问题描述

我们希望使用Nginx Ingress Controller公开具有不同安全要求的Kubernetes服务的不同路径.

Using the Nginx Ingress Controller, we would like to expose different paths of a Kubernetes service, with different security requirements.

1. /向公众开放

/white-list仅允许来自特定IP地址的连接

/white-list only allows connections from a specific IP Address

/need-key需要API密钥

我正在AWS EKS中运行. Kubernetes版本如下:v1.12.6-eks-d69f1b.

I'm running in AWS EKS. Kubernetes version is as follows:v1.12.6-eks-d69f1b.

如果我们使用注释，则它们将应用于整个服务.理想情况下，我只想对路径应用注释.

If we use Annotations, they apply to the entire service. Ideally I would like to apply an Annotation only to a path.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA
  annotations:
    # use the shared ingress-nginx
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /
        backend:
          serviceName: myServiceA
          servicePort: 80
      - path: /white-list
        backend:
          serviceName: myServiceA
          servicePort: 80
          **NEED SOMETHING HERE TO WHITELIST**
      - path: /need-key
        backend:
          serviceName: myServiceA
          servicePort: 80
          **NEED SOMETHING HERE TO USE API-KEY**

我一直得到的结果最终适用于所有路径. 我可以不用API-Key来生活，因为我可以将其编码出来，但是理想情况下，我宁愿将其管理在容器之外.

The results I've been having end up applying to all the paths. I can live without API-Key as I can code that out, but ideally, I'd rather have it managed outside of the container.

有人用NGINX Ingress控制器做到了吗?

Has anyone accomplished this with NGINX Ingress controller?

推荐答案

要为每个路径应用注释，您可以为每个要应用的路径编写一个ingress规则. Nginx Ingress Controller会自行收集这些ingress规则并相应地应用.

To apply annotation for each path, you could write one ingress rule for each path you want to apply. Nginx Ingress Controller will collect those ingress rules by itself and apply accordingly.

例如:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA-root
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /
        backend:
          serviceName: myServiceA
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA-white-list
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/whitelist-source-range: X.X.X.X/32
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /white-list
        backend:
          serviceName: myServiceA
          servicePort: 80
...

这篇关于如何在kubernetes nginx入口控制器中仅将一个路径列入白名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！