[英]Limiting access by IP in kubernetes on GCP's GKE
I am running kubernetes (k8s) on top of Google Cloud Patform's Container Engine (GKE) and Load Balancers (GLB).我在 Google Cloud Patform 的容器引擎 (GKE) 和负载均衡器 (GLB) 之上运行 kubernetes (k8s)。 I'd like to limit the access at a k8s ingress to an IP whitelist.
我想将 k8s 入口处的访问限制为 IP 白名单。
Is this something I can do in k8s or GLB directly, or will I need to run things via a proxy which does it for me?这是我可以直接在 k8s 或 GLB 中做的事情,还是我需要通过代理来运行它为我做的事情?
The way to whitelist source IP's in nginx-ingress is using below annotation.在 nginx-ingress 中将源 IP 列入白名单的方法是使用以下注释。
ingress.kubernetes.io/whitelist-source-range
But unfortunately, Google Cloud Load Balancer does not have support for it, AFAIK.但不幸的是,谷歌云负载均衡器不支持它,AFAIK。
If you're using nginx ingress controller you can use it.如果您使用的是 nginx 入口控制器,则可以使用它。
The value of the annotation can be comma separated CIDR ranges.注释的值可以是逗号分隔的 CIDR 范围。
More on whitelist annotation .更多关于白名单注释。
Issue tracker for progress on Google Cloud Load Balancer support for whitelisting source IP's. Google Cloud Load Balancer 支持将源 IP 列入白名单的问题跟踪器。
Nowadays you can use nginx.ingress.kubernetes.io/whitelist-source-range
as specified here: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range现在你可以使用
nginx.ingress.kubernetes.io/whitelist-source-range
如下规定: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-范围
You need to be sure that you are forwarding external IPs to your services - https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip您需要确保将外部 IP 转发到您的服务 - https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source- ip
And if you are using NGINX Ingress, make sure you set externalTrafficPolicy: Local
on your ingress controllers service.如果您使用 NGINX Ingress,请确保在您的 Ingress 控制器服务上设置
externalTrafficPolicy: Local
。
您可以使用 CORS 并且只允许来自前端的 IP 访问您的微服务。
GCP's firewall rules cannot be applied on the Global Load Balancer it attaches with an Ingress that is created on GKE. GCP 的防火墙规则不能应用于它附加到在 GKE 上创建的 Ingress 的全局负载均衡器。 If you want to restrict access to only specific IP addresses (for example : users connecting via VPN, in this case the VPN gateway's IP address) then there is no out of the box solution on GCP, especially GKE.
如果您只想限制对特定 IP 地址的访问(例如:通过 VPN 连接的用户,在这种情况下是 VPN 网关的 IP 地址),那么 GCP 上没有开箱即用的解决方案,尤其是 GKE。
Nginx and Http header “x-forwarded-for” to the rescue Nginx 和 Http 标头“x-forwarded-for”来救援
If you are using GKE, chances are that you have a Microservices architecture and you are using an API Gateway, chances are that Nginx is the API Gateway.如果您使用 GKE,很可能您拥有微服务架构并且您使用的是 API 网关,则 Nginx 很可能是 API 网关。 All that needs to be done is to configure nginx to only allow requests that have the following IPs
需要做的就是配置 nginx 只允许具有以下 IP 的请求
user.ext.static.ip → Public IP of the client user.ext.static.ip → 客户端公网IP
app.global.static.ip → Global static IP assigned to Ingress app.global.static.ip → 分配给 Ingress 的全局静态 IP
nginx conf nginx配置文件
location /my_service {
rewrite_by_lua_file validate_ip.lua;
proxy_pass http://my_service
}
validate_ip.lua验证ip.lua
local cjson = require "cjson"
local status=""
local headers=ngx.req.get_headers()
local source_ips=headers["x-forwarded-for"]
if source_ips ~= "111.222.333.444, 555.666.777.888" then
status="NOT_ALLOWED"
end
if status ~= "" then
ngx.status = ngx.HTTP_UNAUTHORIZED
ngx.header.content_type = "application/json; charset=utf-8"
ngx.say(cjson.encode({ status = "ERROR",message=status.."YOUR_MESSAGE" }))
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.