限制 Traefik 路由上允许的方法 [英] Restrict allowed methods on Traefik routes

问题描述

我目前在我的 K8s 集群中使用 traefik 1.6.x 作为入口控制器.我想更新到 1.7.x(然后更新到 2.x)，但更新后我的入口不再工作.

I'm currently using traefik 1.6.x as ingress controller in my K8s clusters. I wanted to update to 1.7.x (and then to 2.x later on), but my ingresses are not working anymore after the update.

问题似乎是，我通过将方法添加到 traefik.frontend.rule.type 注释来对我的入口进行 http 方法限制，如下所示:

The issue seems to be, that I do http method restrictions on my ingresses by adding the methods to the traefik.frontend.rule.type annotation as follows:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-name
  namespace: namespace1
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: "Method: CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT; PathPrefix"
    ingress.kubernetes.io/hsts-max-age: "315360000"
    ingress.kubernetes.io/hsts-include-subdomains: "true"
    ingress.kubernetes.io/custom-frame-options-value: "SAMEORIGIN"
    ingress.kubernetes.io/content-type-nosniff: "true"
    ingress.kubernetes.io/browser-xss-filter: "true"
    ingress.kubernetes.io/custom-response-headers: "Server:||X-Application-Context:||X-Powered-By:||exception:"
spec:
  rules:
    - host: ...

我不知道这是否曾经打算以这种方式完成，但显然它奏效了.我在其他 StackOverflow 帖子 iirc 中发现了这一点.

I don't know if this was ever intended to be done in this way, but apparently it worked. I found that in some other StackOverflow post, iirc.

删除方法部分(或整个注释，因为 PathPrefix 是默认值)使路由恢复生机.但当然，这允许再次使用 TRACE 方法，例如.

Removing the Method part (or the whole annotation then, because PathPrefix is the default) brings the routes back to life. But of course this allows the TRACE method again, for example.

是否有另一种方法可以使用 1.7.x 的 traefik 版本来限制那些(甚至可能适用于所有入口)?

Is there another way to restrict those (maybe even for all ingresses) with traefik versions from 1.7.x?

提前致谢！

推荐答案

实际上@Crou 关于 CORS 标头的评论有效！我刚刚再次偶然发现了这个问题，并将 method 部分移到了 custom-reponse-headers 并且它似乎有效:

Actually the comment of @Crou about CORS headers worked! I just now stumbled upon this problem again and moved the method part to the custom-reponse-headers and it seems to work:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: app-name
  namespace: namespace1
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/hsts-max-age: "315360000"
    ingress.kubernetes.io/hsts-include-subdomains: "true"
    ingress.kubernetes.io/custom-frame-options-value: "SAMEORIGIN"
    ingress.kubernetes.io/content-type-nosniff: "true"
    ingress.kubernetes.io/browser-xss-filter: "true"
    ingress.kubernetes.io/custom-response-headers: "Server:||X-Application-Context:||X-Powered-By:||exception:||Access-Control-Allow-Headers:CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT"
spec:
  rules:
    - host: ...

我完全删除了 traefik.frontend.rule.type 部分，因为 PathPrefix 是默认的.

I removed the traefik.frontend.rule.type part then completely, since PathPrefix is the default.

(!) 我只升级到 traefik 1.7.20.我还没有设法迁移到 traefik 2.所以我不确定这是否适用于 traefik 2！

(!) I only moved up to traefik 1.7.20. I've not managed to do the migration to traefik 2 yet. So I'm not sure if this works with traefik 2!

这篇关于限制 Traefik 路由上允许的方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！