堆栈内存溢出
  简体   繁体   English

如何限制 IP 可以访问 kubernetes 服务的地址?

[英]How to limit IP Addresses that have access to kubernetes service?

 原文  2022-01-24 10:39:27       kubernetes/ google-kubernetes-engine/ load-balancing/ ip-address

问题描述

Is there any way to limit the access to Kubernetes Service of type LoadBalancer from outside the cluster?有什么办法可以限制从集群外部访问 LoadBalancer 类型的 Kubernetes 服务?

I would like to expose my database's pod to the Internet using the LoadBalancer service that would be accessible only for my external IP address.我想使用 LoadBalancer 服务将我的数据库的 pod 公开到 Internet,该服务只能用于我的外部 IP 地址。

My Kubernetes cluster runs on GKE.我的 Kubernetes 集群在 GKE 上运行。

2 个解决方案

解决方案1
 1  2022-01-24 11:14:32

Yes, you can achieve that on Kubernetes level with a native Kubernetes Network Policy .是的,您可以使用本机 Kubernetes Network Policy在 Kubernetes 级别上实现这一点。 There you can limit the Ingress traffic to your Kubernetes Service by specifying policies for the Ingress type.在那里,您可以通过为Ingress类型指定策略来将 Ingress 流量限制到您的 Kubernetes 服务。 An example could be:一个例子可能是:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      role: db
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    ports:
    - protocol: TCP
      port: 6379

More information can be found in the official documentation .更多信息可以在官方文档中找到。

If you already want to block traffic from unwanted IP addresses on Load Balancer level, you have to define firewall rules and apply them on your GCP load balancer.如果您已经想在负载均衡器级别阻止来自不需要的 IP 地址的流量,则必须定义防火墙规则并将它们应用于您的 GCP 负载均衡器。 More information regarding the GCP firewall rules can also be found in the documentation .有关 GCP 防火墙规则的更多信息也可以在文档中找到。

解决方案2
 1 已采纳  2022-01-24 11:17:01

You can use loadBalancerSourceRanges to filter load balanced traffic as mentioned here .您可以使用loadBalancerSourceRanges来过滤负载平衡的流量,如此所述。

Here is the simple example of Service in front of Nginx Ingress controllers:下面是 Nginx Ingress 控制器前面的 Service 的简单示例:

apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: external
    app.kubernetes.io/name: ingress-nginx
  name: external-ingress-nginx-controller
  namespace: kube-ingress
spec:
  loadBalancerSourceRanges:
  - <YOUR_IP_1>
  - <YOUR_IP_2>
  - <YOUR_IP_3>
  ports:
  - name: https
    nodePort: 32293
    port: 443
    targetPort: https
  selector:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: external
    app.kubernetes.io/name: ingress-nginx
  type: LoadBalancer

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何仅针对某些 IP 地址在 Kubernetes 中公开 tcp 服务? - How to expose tcp service in Kubernetes only for certain ip addresses? 如何按名称访问kubernetes中的服务IP? - How to access the service ip in kubernetes by name? 创建通过多个IP地址引用外部服务的Kubernetes服务 - Creating Kubernetes service that reference external service by multiple ip addresses kube.netes 如何使“奇怪的”IP 地址可访问? - How kubernetes makes 'weird' IP addresses accessible? 如何从 Azure Z30136395F0181979219Z8317 服务访问本地 IP url? - How to Access Local IP url from Azure Kubernetes service? 在Kubernetes中,POD内的容器是否有自己的IP地址? - In kubernetes do containers inside the POD have their own IP addresses? Kubernetes中如何获取服务IP? - How to get the service IP in Kubernetes? 无法从Kubernetes中的公共IP访问服务 - Not able to access service from the public ip in kubernetes 无法在外部 ip Kube.netes 访问服务 - Cannot access service at external ip Kubernetes 限制Kubernetes服务帐户访问特定的名称空间 - Limit the Kubernetes service account access specific namespace
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM