gpt4 book ai didi

nginx - 路径的 Kubernetes 入口白名单 IP

转载 作者:行者123 更新时间:2023-12-02 12:02:45 24 4
gpt4 key购买 nike

我知道我可以将整个入口对象的 IP 列入白名单,但是有没有办法将单个路径的 IP 列入白名单?例如,如果我只想允许 /admin10.0.0.0/16 访问?
ingress.yml :

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /admin
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80

最佳答案

如果你想把它分成两个 Ingres,它看起来像下面的例子。第一 Ingress/admin路径和注释和第二个 Ingress与他人 paths任何人都允许 IP .

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-admin
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /admin
backend:
serviceName: api
servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-all
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80

请记住注释 nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"将覆盖您的一些配置。如 Nginx docs 中所述:

Adding an annotation to an Ingress rule overrides any global restriction.



另一种选择是使用 ConfigMap whitelist-source-range .就像 this example 中提到的一样,您可以使用 ngx_http_access_module .

在 Nginx 配置中,每个 path保存为
location / {
...
}

location /api {
...
}

您可以在那里添加这些限制。下面的例子:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}

关于nginx - 路径的 Kubernetes 入口白名单 IP,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/58925853/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com