堆栈内存溢出
  简体   繁体   English

负载均衡器上的入口 IP 白名单 - aws k8s

[英]Ingress ip whitelisting on load balancer - aws k8s

 原文  2019-03-22 09:29:02       amazon-web-services/ nginx/ kubernetes/ amazon-eks

问题描述

I am trying to use the Security group to allow https traffic only from a particular IP.我正在尝试使用安全组仅允许来自特定 IP 的 https 流量。 I have created the Ingress Service and resource.我已经创建了 Ingress 服务和资源。 (ref: NGINX Controller (参考: NGINX 控制器

I tried configuring below on Ingress Service.我尝试在 Ingress 服务上进行以下配置。

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {cert}
    # the backend instances are HTTP
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    # Map port 443
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
    service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: {SG Allowing ingres from IP}
spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: http

I tried below on resource as well.我也在下面尝试过资源。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: {SG Allowing ingres from IP}
    ingress.kubernetes.io/whitelist-source-range: "IP"
spec:
  rules:
  - host: test.com
    http:
      paths:
      - backend:
          serviceName: backend
          servicePort: 8080
        path: /

What am I missing?我错过了什么?

I see auto-generated SG on load balancer which allows all inbound traffic.我在负载均衡器上看到自动生成的 SG,它允许所有入站流量。 But I'm not sure if its created by service or resource.但我不确定它是由服务还是资源创建的。 And if its ok to edit that directly.如果可以直接编辑它。

Update: Autogenerated SG更新:自动生成的 SG 在此处输入图片说明

I added another SG which limits IP for ingress but doesn't get applied.我添加了另一个 SG,它限制了入口的 IP,但没有得到应用。

1 个解决方案

解决方案1
 0  2020-01-23 14:52:11

In your service definition of ingress add the following section在入口的服务定义中添加以下部分

spec:
  loadBalancerSourceRanges: //add this section
    - 127.0.0.1/32
    - 28.50.20.12/31
  type: LoadBalancer

The default behavior is that when you don't specify loadBalancerSourceRanges it default into 0/0默认行为是,当您不指定loadBalancerSourceRanges它默认为 0/0

Hope this helps.希望这可以帮助。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 k8s master前面的AWS负载均衡器 - AWS Load balancer in front of k8s master aws-load-balancer-eip-allocations 不起作用。 在 AWS 上使用 k8s 为 LoadBalancer 服务分配静态 IP - aws-load-balancer-eip-allocations does not work. Assign static IP to LoadBalancer service using k8s on AWS AWS-K8S-入口负载平衡器 - AWS - k8s - ingress LoadBalancer 具有现有 AWS HTTPS 负载均衡器的 K3S Kubernetes 集群中 Traefik Ingress Controller 的 AWS 证书解析器 - AWS certificate resolver for Traefik Ingress Controller in K3S Kubernetes Cluster with existing AWS HTTPS Load Balancer AWS VPC-K8S-负载平衡 - AWS VPC - k8s - load balancing 为 K8S 服务使用现有的负载均衡器 - Using existing load balancer for K8S service 用于 sg 源 ips 的 K8S 服务负载均衡器注释 - K8S service load balancer annotation for sg source ips 如何在kops在AWS上安装的k8s集群中使用alb-ingress-controller? - How to use alb-ingress-controller in k8s cluster which installed by kops on AWS? 使外部DNS与Kops AWS 1.7 K8s集群中的入口对象一起使用 - Getting External-DNS to work with Ingress Objects in Kops AWS 1.7 K8s Cluster 通过使用kops创建的AWS群集上的入口使k8s服务可用 - Make k8s services available via ingress on an AWS cluster created with kops
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM