gpt4 book ai didi

kubernetes - 适用于Linode Cloud提供商的spec.loadBalancerSourceRanges

转载 作者:行者123 更新时间:2023-12-02 12:04:31 24 4
gpt4 key购买 nike

我正在尝试锁定我的kubernetes集群,并且目前正在将Cloudflare用于前端,因为我正在尝试将Cloudflare的IP列入白名单

这是我的服务Yaml:

spec:
type: LoadBalancer
loadBalancerSourceRanges:
- 130.211.204.1/32
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 104.16.0.0/12
- 172.64.0.0/13
- 131.0.72.0/22

应用此 list 后,我仍然可以从任何浏览器访问负载均衡器URL!是此功能不起作用还是我配置不正确?

谢谢。

最佳答案

https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service:

When using a Service with spec.type: LoadBalancer, you can specify the IP ranges that are allowed to access the load balancer by using spec.loadBalancerSourceRanges. This field takes a list of IP CIDR ranges, which Kubernetes will use to configure firewall exceptions. This feature is currently supported on Google Compute Engine, Google Kubernetes Engine, AWS Elastic Kubernetes Service, Azure Kubernetes Service, and IBM Cloud Kubernetes Service. This field will be ignored if the cloud provider does not support the feature.



可能是您的云根本不支持它。

您可以使用其他允许源IP阻止的东西,例如nginx或ingress-nginx。在ingress-nginx中,您只需在注释 ingress.kubernetes.io/whitelist-source-range中指定允许的IP列表。

如果您想使用Nginx或其他代理路由,请不要忘记将Load Balancer Service externalTrafficPolicy更改为 Local。否则,您将看不到真实的客户端IP。

关于kubernetes - 适用于Linode Cloud提供商的spec.loadBalancerSourceRanges,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55829704/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com