问题
怎么设置Ingress 来实现只允许特定的IP访问? 也就是怎么设置Ingress IP白名单?
解决方法
可以通过设置Ingress的 annotation 中的 nginx.ingress.kubernetes.io/whitelist-source-range 的方式来实现.
如下所示,官方文档说明
测试方式
可以使用下面的Yaml 来部署nginx的方式来测试.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment-test
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- name: http-web-svc
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service-test
spec:
type: ClusterIP
selector:
app: nginx
ports:
- name: name-of-service-port
protocol: TCP
port: 81
targetPort: http-web-svc
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
labels:
app: nginx
annotations:
ingress.kubernetes.io/proxy-body-size: "10m"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/whitelist-source-range: "118.195.178.154"
spec:
ingressClassName: nginx
rules:
- host: nginx-test.xxxxxx.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-service
port:
number: 81注意代码中的设置nginx.ingress.kubernetes.io/whitelist-source-range: "118.195.178.154" 这样只有从主机"118.195.178.154" 上才可以访问nginx服务.
如下所示测试结果:
在"118.195.178.154" 上是可以使用curl来访问nginx服务的
从其它主机上访问的话就会出现 403 Forbidden 的错误信息
参考文档
ingress-nginx/docs/user-guide/nginx-configuration/annotations.md at main · kubernetes/ingress-nginx · GitHub
评论区