堆栈内存溢出
  简体   繁体   English

Kubernetes 安全策略中的黑名单 IP

[英]blacklist IP in kubernetes security policy

 原文  2022-06-20 21:25:55       security/ kubernetes/ networking

问题描述

I read through the kubernetes network policy documentation and stumbled upon this statement:我通读了 kubernetes 网络策略文档并偶然发现了以下声明:

What you can't do with network policies (at least, not yet)网络策略不能做什么(至少目前还不能)

The ability to explicitly deny policies (currently the model for NetworkPolicies are deny by default, with only the ability to add allow rules).显式拒绝策略的能力(目前 NetworkPolicies 的模型默认为拒绝,只能添加允许规则)。

Is there a way around this limiting factor or any add on to kubernetes that allows for blacklisting IPs?有没有办法绕过这个限制因素或任何添加到允许将 IP 列入黑名单的 kubernetes?

1 个解决方案

解决方案1
 1  2022-06-20 21:34:32

You can use 3rd party for this task.您可以使用第 3 方来完成此任务。

Few examples:几个例子:

  1. https://docs.aws.amazon.com/eks/latest/userguide/restrict-service-external-ip.html https://docs.aws.amazon.com/eks/latest/userguide/restrict-service-external-ip.html

  2. https://istio.io/v1.1/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists https://istio.io/v1.1/docs/tasks/policy-enforcement/denial-and-list/#ip-based-whitelists-or-blacklists

apiVersion: config.istio.io/v1alpha2
kind: listchecker
metadata:
  name: whitelistip
spec:
  # providerUrl: ordinarily black and white lists are maintained
  # externally and fetched asynchronously using the providerUrl.
  overrides: ["10.57.0.0/16"]  # overrides provide a static list
  blacklist: false
  entryType: IP_ADDRESSES
---
apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
  name: sourceip
spec:
  value: source.ip | ip("0.0.0.0")
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: checkip
spec:
  match: source.labels["istio"] == "ingressgateway"
  actions:
  - handler: whitelistip.listchecker
    instances:
    - sourceip.listentry
---
  1. With nginx使用 nginx
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    
    #
    # This is the relevant part
    #
    
    nginx.ingress.kubernetes.io/whitelist-source-range: 49.36.X.X/32
    # depending on the ingress controller version the annotation
    # above may need to be modified to remove the prefix nginx. i.e.
    # ingress.kubernetes.io/whitelist-source-range: 49.36.X.X/32
spec:
  rules:
  - host: web.manitestdomain.com
    http:
      paths:
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: web
            port:
              number: 80

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Windows 2003上的IP安全策略 - IP security policy on windows 2003 黑名单IP数据库 - Blacklist IP database 小程序的安全策略 - Security policy on Applets 未实施Java安全策略 - Java security policy is not enforced 安全策略文件和jar - security policy files and jar 编写本地安全策略脚本 - Scripting Local Security Policy 阅读本地安全策略 - Reading local security policy 内容安全策略通配符? - Content Security Policy Wildcards? XSS - 内容安全策略 - XSS - Content Security Policy 定义系统的安全策略 - Defining a security policy for a system
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM