堆栈内存溢出
  简体   繁体   English

如何防止直接访问Nginx入口控制器公开的已部署API服务

[英]How to prevent direct access to deployed API services exposed by nginx ingress controller

 原文  2018-12-07 16:36:12       amazon-ec2/ kubernetes/ kops/ nginx-ingress

问题描述

I've deployed an application on aws using kops and ingress nginx controller. 我已经使用kops和入口nginx控制器在aws上部署了一个应用程序。

From what I've understood it looks like ingress controller allows to expose each services deployed in the cluster publicly. 据我了解,入口控制器看起来可以公开公开部署在集群中的每个服务。 So it makes me wonder about security and authentication. 因此,这使我对安全性和身份验证感到疑惑。

What is the architecture of my project ? 我的项目的架构是什么? I got 3 services deployed in a cluster: 我在集群中部署了3个服务:

  1. -client-ui (front-end) -client-ui(前端)

  2. -authentication-api (creates/generates/verifies JWT token and call other services like data-api) -authentication-api(创建/生成/验证JWT令牌并调用其他服务,例如data-api)

  3. -data-api (an API that create/read/update/delete sensitive data in the DB) -data-api(在数据库中创建/读取/更新/删除敏感数据的API)

So the question is: if Ingress controller exposes all services, how do you restrict access to specific service, if the user is not allowed to ? 所以问题是:如果Ingress控制器公开了所有服务,如果不允许用户访问,则如何限制对特定服务的访问?

In this case data-api should only be accessible from authentication-api. 在这种情况下,只能从authentication-api访问data-api。 So if in my browser I type www.client-ui.com/data/getXXX obviously I should not be be able to access that endpoint. 因此,如果在浏览器中键入www.client-ui.com/data/getXXX,显然我应该无法访问该端点。 I should only be able to do it from authentication-api if his jwt token has been verified. 如果他的jwt令牌已经过验证,我应该只能从authentication-api进行操作。

So I guess some apis should be accessible only from within the cluster and some publicly !? 因此,我猜有些API应该只能从集群内部访问,而有些应该可以公开访问!

Could you please explain how can I do that ? 您能解释一下我该怎么做吗?

Thanks 谢谢

1 个解决方案

解决方案1
 1  2018-12-07 17:08:52

Depending on the cloud provider, there are different annotations on the ingress services for that. 根据云提供商的不同,在入口服务上会有不同的注释。 What you want is an internal load balancer for a specific ingress resource. 您想要的是特定入口资源的内部负载平衡器。 In your case (AWS) this should be: 对于您的情况(AWS),应为:

annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true"

See: 看到:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 kubernetes没有为ingress-nginx控制器创建ELB - kubernetes not creating the ELB for ingress-nginx controller AWS ElasticIP 到 nginx 入口控制器 EKS? - AWS ElasticIP to nginx ingress controller EKS? 错误 504 网关超时 nginx-ingress 控制器 - Error 504 Gateway Time-out nginx-ingress controller 如何访问部署在服务器上的 api? - How do I access my api that is deployed on a server? 如何使用StrongLoop Nginx控制器将Nginx设置为负载均衡器 - How to setup Nginx as a load balancer using the StrongLoop Nginx Controller EKS ingress-nginx 和 NLB 与 https 重定向 - EKS ingress-nginx and NLB with https redirect 如何使用 NGINX PHP web 服务提高 AWS EC2 的安全性 - How to improve security for AWS EC2 with NGINX PHP web services 如何从外部访问OpenShift(AWS)中部署的Jenkins容器 - How to access Jenkins container deployed in OpenShift (AWS) from outside 如何配置对EC2实例的直接http访问? - How to configure direct http access to EC2 instance? 当部署在Amazon Web Services上时,如何在ExpressJS应用中获取浏览器时区? - How can I get the browser timezone in my ExpressJS app when deployed on Amazon Web Services?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM