[英]Kubernetes Ingress network deny some paths
I've a simple kubernetes ingress network.我有一个简单的 kubernetes 入口网络。
I need deny the access some critical paths like /admin or etc.我需要拒绝访问一些关键路径,如 /admin 等。
My ingress network file shown as below.我的入口网络文件如下所示。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-test
spec:
rules:
- host: host.host.com
http:
paths:
- path: /service-mapping
backend:
serviceName: /service-mapping
servicePort: 9042
How I can deny the custom path with kubernetes ingress network, with nginx annonations or another methods .我如何使用 kubernetes 入口网络、nginx 注释或其他方法拒绝自定义路径。
I handle this issue with annotations shown as below .我使用如下所示的注释处理这个问题。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-configuration-snippet
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
server_tokens off;
location DANGER-PATH {
deny all;
return 403;
}
spec:
rules:
- host: api.myhost.com
http:
paths:
- backend:
serviceName: bookapi-2
servicePort: 8080
path: PATH
You can use server-snippet annotation.您可以使用服务器代码段注释。 This seems like exactly what you want to achieve.
这似乎正是您想要实现的目标。
I've faced the same issue and found the solution on github .我遇到了同样的问题,并在github上找到了解决方案。 To achieve your goal, you need to create two Ingresses first by default without any restriction:
为了实现你的目标,你需要先默认创建两个 Ingress,没有任何限制:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-test
spec:
rules:
- host: host.host.com
http:
paths:
- path: /service-mapping
backend:
serviceName: /service-mapping
servicePort: 9042
Then, create a secret
for auth as described in the doc :然后,按照文档中的描述为 auth 创建一个
secret
:
Creating the htpasswd
创建
htpasswd
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
Creating the secret
:创建
secret
:
$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created
Second Ingress with auth for paths which you need to restrict:需要限制路径的带有身份验证的第二个入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropiate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"
spec:
rules:
- host: host.host.com
http:
paths:
- path: /admin
backend:
serviceName: service_name
servicePort: 80
According to sedooe answer , his solution may have some issues.根据sedooe answer ,他的解决方案可能有一些问题。
Copy the official Kubernetes way of doing this and use the defaultbackend
container which always returns 404.复制官方的 Kubernetes 方法并使用始终返回 404 的
defaultbackend
容器。
apiVersion: apps/v1
kind: Deployment
metadata:
name: defaultbackend
spec:
selector:
matchLabels:
app: defaultbackend
template:
metadata:
labels:
app: defaultbackend
spec:
containers:
- name: defaultbackend
image: k8s.gcr.io/defaultbackend-amd64:1.5
resources:
requests:
memory: 10M
cpu: 5m
limits:
memory: 10M
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: defaultbackend
spec:
selector:
app: defaultbackend
ports:
- port: 80
targetPort: 8080
Then in your ingress, add a paths
entry:然后在您的入口中,添加一个
paths
条目:
paths:
- path: /
backend:
serviceName: my-real-service
servicePort: 3000
- path: /admin
backend:
serviceName: defaultbackend
servicePort: 80
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.