是否可以通过白名单IP地址访问Cloud Run服务? [英] Is there way white list IP addresses to access Cloud Run services?

问题描述

是否可以通过列入白名单的IP地址设置对 Cloud Run 服务的访问?

Is there way to setup access to Cloud Run services via whitelisted IP addresses?

我在此身份验证概述

I could not find in documentation beside this Authentication overview

推荐答案

在私有模式，请求者必须使用承载令牌请求端点.该令牌由Google前端(GFE)检查，该令牌还负责管理SSL证书，例如，它必须引用在Cloud Run服务上具有run.invoker角色的帐户(成员，组或服务帐户).

When you deploy a Cloud Run in private mode, the requester have to request the endpoint with a bearer token. This token is checked by Google Front End (GFE), also in charge of managing SSL certificate for example, and it has to reference an account (member, group or service account) that have the role run.invoker on the Cloud Run service.

如果您将此角色授予 AllUsers ，服务从私有切换到公共，任何人都可以在不进行任何身份验证的情况下调用它.

If you grant this role to AllUsers, the service switch from private to public and anybody can call it without any authentication.

这是针对Cloud Run的行为，由于您无法自定义GFE，因此无法直接进行IP过滤.您必须添加其他组件才能执行此过滤器.

That is for the behavior of Cloud Run, and as you can't customize GFE, IP filtering is not possible directly. You have to add an additional component for performing this filter.

使用Cloud Run for Anthos(由Kolban建议)，您可以设置防火墙规则，从而可以执行过滤.但是您不是在无服务器世界中，必须管理集群，节点，防火墙规则，负载均衡器...

With Cloud Run for Anthos (as propose by Kolban) you can set firewall rules and thus you can perform filtering. But you aren't in the serverless world, you have to manage your cluster, your nodes, your firewall rules, your load balancer,...

最后，谷歌的建议之一是:不信任网络.因为很容易盗用IP地址(我不知道怎么做，但是对于Google来说很明显！).如果可以避免任何对基础结构的依赖，那就更好了！

Last thing, one of advice of Google is: don't trust the network. Because it's easy to steal and IP address (I don't know how, but for Google it's obvious!!). If you can avoid any infrastructure dependency, it's better!

这篇关于是否可以通过白名单IP地址访问Cloud Run服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！