stackoom
  简体   繁体   中英

How to hide Django Admin from the public on Azure Kubernetes Service while keeping access via backdoor

 原文  2020-03-19 06:28:17       django/ azure/ kubernetes/ django-admin

Question

I'm running a Django app on Azure Kubernetes Service and, for security purposes, would like to do the following:

  • Completely block off the admin portal from the public (eg average Joe cannot reach mysite.com/admin )
  • Allow access through some backdoor (eg a private network, jump host, etc.)

One scenario would be to run two completely separate services: 1) the main API part of the app which is just the primary codebase with the admin disabled . This is served publicly. and 2) Private site behind some firewall which has admin enabled . Each could be on a different cluster with a different FQDN but all connect to the same datastore. This is definitely overkill - there must be a way to keep everything within the cluster.

I'm think there might be a way to configure the Azure networking layer to block/allow traffic from specific IP ranges, and do it on a per-endpoint basis (eg mysite.com/admin versus mysite.com/api/1/test ). Alternatively, maybe this is doable on a per-subdomain level (eg api.mysite.com/anything versus admin.mysite.com/anything ).

This might also be doable at the Kubernetes ingress layer but I can't figure out how.

What is the easiest way to satisfy the 2 requirements?

1 answers

solution1
 2  2020-03-19 07:23:59

You can manage restriction at ingress level :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.XXX, 192.175.2.XXX"
  name: staging-ingress
  namespace: default
spec:
  rules:
  - host: test.example.io
    http:
      paths:
      - backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - test.example.io
    secretName: tls-cert

You can white list the IP address for allowing specific path to resolve your backdoor issue. For other you can create another ingress rule with removing annotation for public accesss.

For a particular path :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.XXX, 192.175.2.XXX"
  name: staging-ingress
  namespace: default
spec:
  rules:
  - host: test.example.io
    http:
      paths:
      - path : /admin
        backend:
          serviceName: service-name
          servicePort: 80
  tls:
  - hosts:
    - test.example.io
    secretName: tls-cert

test.example.io/admin will only be accessible through source-range.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Hide public model from tenant admin in django Django: How to hide Sites framework from Django Admin while using django-allauth? How to hide admin users from django admin site how to access to django model from within admin How to hide some Usergroups from Django Admin in ManytoMany field Keeping filters in Django Admin Limiting Access to django admin via applications Access Django admin from Firebase How to retrieve Django model id from admin page via javascript hide site label from django admin
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM