Kubernetes Ingress 网络拒绝某些路径
[英]Kubernetes Ingress network deny some paths
问题描述
I've a simple kubernetes ingress network.
我有一个简单的 kubernetes 入口网络。
I need deny the access some critical paths like /admin or etc.我需要拒绝访问一些关键路径,如 /admin 等。
My ingress network file shown as below.我的入口网络文件如下所示。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-test
spec:
rules:
- host: host.host.com
http:
paths:
- path: /service-mapping
backend:
serviceName: /service-mapping
servicePort: 9042
How I can deny the custom path with kubernetes ingress network, with nginx annonations or another methods .我如何使用 kubernetes 入口网络、nginx 注释或其他方法拒绝自定义路径。
I handle this issue with annotations shown as below .我使用如下所示的注释处理这个问题。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-configuration-snippet
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
server_tokens off;
location DANGER-PATH {
deny all;
return 403;
}
spec:
rules:
- host: api.myhost.com
http:
paths:
- backend:
serviceName: bookapi-2
servicePort: 8080
path: PATH
3 个解决方案
解决方案1
8 2018-08-17 10:12:05
You can use server-snippet annotation.您可以使用服务器代码段注释。 This seems like exactly what you want to achieve. 这似乎正是您想要实现的目标。
解决方案2
3 已采纳 2018-08-17 11:37:34
I've faced the same issue and found the solution on github .我遇到了同样的问题,并在github上找到了解决方案。 To achieve your goal, you need to create two Ingresses first by default without any restriction:为了实现你的目标,你需要先默认创建两个 Ingress,没有任何限制:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-test
spec:
rules:
- host: host.host.com
http:
paths:
- path: /service-mapping
backend:
serviceName: /service-mapping
servicePort: 9042
Then, create a secret for auth as described in the doc :然后,按照文档中的描述为 auth 创建一个secret :
Creating the htpasswd创建htpasswd
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
Creating the secret :创建secret :
$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created
Second Ingress with auth for paths which you need to restrict:需要限制路径的带有身份验证的第二个入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropiate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"
spec:
rules:
- host: host.host.com
http:
paths:
- path: /admin
backend:
serviceName: service_name
servicePort: 80
According to sedooe answer , his solution may have some issues.根据sedooe answer ,他的解决方案可能有一些问题。
解决方案3
0 2021-06-07 22:40:37
Copy the official Kubernetes way of doing this and use the defaultbackend container which always returns 404.复制官方的 Kubernetes 方法并使用始终返回 404 的defaultbackend容器。
apiVersion: apps/v1
kind: Deployment
metadata:
name: defaultbackend
spec:
selector:
matchLabels:
app: defaultbackend
template:
metadata:
labels:
app: defaultbackend
spec:
containers:
- name: defaultbackend
image: k8s.gcr.io/defaultbackend-amd64:1.5
resources:
requests:
memory: 10M
cpu: 5m
limits:
memory: 10M
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: defaultbackend
spec:
selector:
app: defaultbackend
ports:
- port: 80
targetPort: 8080
Then in your ingress, add a paths entry:然后在您的入口中,添加一个paths条目:
paths:
- path: /
backend:
serviceName: my-real-service
servicePort: 3000
- path: /admin
backend:
serviceName: defaultbackend
servicePort: 80
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.