尝试使用tls设置入口并仅在GKE上开放某些IP [英] Trying to set up an ingress with tls and open to some IPs only on GKE

问题描述

我在设置仅对某些特定IP开放的入口时遇到了麻烦，检查了文档，尝试了很多工作，并且源外的IP仍然可以访问。那是使用nginx的高山上的Zabbix Web界面，在节点端口80上设置服务，然后使用入口在GCP上设置负载均衡器，一切正常，Web界面运行良好，但是如何使它可访问仅适用于所需的IP？
我的防火墙规则还可以，并且只能通过负载平衡器IP进行访问

I'm having trouble setting up an ingress open only to some specific IPs, checked docs, tried a lot of stuff and an IP out of the source keep accessing. that's a Zabbix web interface on an alpine with nginx, set up a service on node-port 80 then used an ingress to set up a loadbalancer on GCP, it's all working, the web interface is working fine, but how can I make it accessible only to desired IPs? my firewall rules are ok and it's only accessible through load balancer IP

此外，我为此部署有一个特定的命名空间。

Also, I have a specific namespace for this deploy.

集群版本 1.11.5-gke.5
EDIT 我正在使用GKE标准入口GLBC

Cluster version 1.11.5-gke.5 EDIT i'm using GKE standard ingress GLBC

我的模板配置如下，有人可以帮助我启发丢失的内容：

My template is config as follow can someone help enlighten me on what is missing:

    apiVersion: v1
    kind: ReplicationController
    metadata:
      name: zabbix-web
      namespace: zabbix-prod
      labels:
        app: zabbix
        tier: frontend
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            name: zabbix-web
            app: zabbix
        spec:
          volumes:
          - name: cloudsql-instance-credentials
            secret:
              defaultMode: 420
              secretName: cloudsql-instance-credentials
          containers:
            - command:
              - /cloud_sql_proxy
              - -instances=<conection>
              - -credential_file=/secrets/cloudsql/credentials.json
              image: gcr.io/cloudsql-docker/gce-proxy:1.11
              imagePullPolicy: IfNotPresent
              name: cloudsql-proxy
              resources: {}
              securityContext:
                allowPrivilegeEscalation: false
                runAsUser: 2
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              volumeMounts:
              - mountPath: /secrets/cloudsql
                name: credentials
                readOnly: true
            - name: zabbix-web
              image: zabbix/zabbix-web-nginx-mysql:alpine-3.2-latest
              ports:
              - containerPort: 80
              env:
              - name: MYSQL_USER
                valueFrom:
                  secretKeyRef:
                    key: <user>
                    name: <user>
              - name: MYSQL_PASSWORD
                valueFrom:
                  secretKeyRef:
                    key: <pass>
                    name: <pass>
              - name: DB_SERVER_HOST
                value: 127.0.0.1
              - name: MYSQL_DATABASE
                value: <db>
              - name: ZBX_SERVER_HOST
                value: <db>
            readinessProbe:
              failureThreshold: 3
              httpGet:
                path: /index.php
                port: 80
                scheme: HTTP
              periodSeconds: 10
              successThreshold: 1
              timeoutSeconds: 30
---
apiVersion: v1
kind: Service
metadata:
  name: "zabbix-web-service"
  namespace: "zabbix-prod"
  labels:
    app: zabbix
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    name: "zabbix-web"
  type: "NodePort"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: zabbix-web-ingress
  namespace: zabbix-prod
  annotations:
    ingress.kubernetes.io/service.spec.externalTrafficPolicy: local
    ingress.kubernetes.io/whitelist-source-range: <xxx.xxx.xxx.xxx/32>
spec:
  tls:
  - secretName: <tls-cert>
  backend:
    serviceName: zabbix-web-service
    servicePort: 80

推荐答案

您可以通过配置Ingress和Cloud Armour ：

切换到项目：

gcloud config set project $PROJECT

创建策略：

gcloud compute security-policies create $POLICY_NAME --description "whitelisting"

将默认策略更改为拒绝：

Change default policy to deny:

gcloud compute security-policies rules update 2147483647 --action=deny-403 \ 
  --security-policy $POLICY_NAME

比默认白名单的优先级低，您要白名单的所有IP：

On lower priority than the default whitelist all IPs you want to whitelist:

gcloud compute security-policies rules create 2 \
  --action allow \
  --security-policy $POLICY_NAME \
  --description "allow friends" \
  --src-ip-ranges "93.184.17.0/24,151.101.1.69/32"

每个范围最多十个。

请注意，您需要有效的CIDR范围，为此您可以使用 CIDR到IP范围-> IP范围到CIDR 。

Note you need valid CIDR ranges, for that you can use CIDR to IP Range -> IP Range to CIDR.

按以下方式查看策略：

gcloud compute security-policies describe $POLICY_NAME

丢弃条目：

gcloud compute security-policies rules delete $PRIORITY --security-policy $POLICY_NAME

或完整策略：

gcloud compute security-policies delete $POLICY_NAME

创建 BackendConfig ：

# File backendconfig.yaml:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  namespace: <namespace>
  name: <name>
spec:
  securityPolicy:
    name: $POLICY_NAME

$ kubectl apply -f backendconfig.yaml
backendconfig.cloud.google.com/backendconfig-name created

将BackendConfig添加到服务：

Add the BackendConfig to the Service:

metadata:
  namespace: <namespace>
  name: <service-name>
  labels:
    app: my-app
  annotations:
    cloud.google.com/backend-config: '{"ports": {"80":"backendconfig-name"}}'
spec:
  type: NodePort
  selector:
    app: hello-app
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080

使用正确的选择器并指向服务的接收端口

Use the right selectors and point the receiving port of the Service to the BackendConfig created earlier.

现在Cloud Armor会将策略添加到GKE服务。

Now Cloud Armour will add the policy to the GKE service.

在 https://console.cloud.google.com/net-security/securitypolicies （选择<$ c $后c> $ PROJECT ）。

这篇关于尝试使用tls设置入口并仅在GKE上开放某些IP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！