我在 Kubernetes 中有一个 nginx 入口,它有一个白名单(由 nginx.ingress.kubernetes.io/whitelist-source-range 注释处理)和一个自定义端口映射(它公开了一个通过 --tcp-services-configmap 配置映射的 SFTP 服务器端口 22)。白名单适用于 80 和 443,但不适用于 22。如何将我的自定义端口列入白名单?
配置大致如下:
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
...
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: sftp
containerPort: 22
...
kind: Ingress
metadata:
name: {{ .controllerName }}
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/whitelist-source-range: {{ .ipAllowList }}
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
22: "default/sftp:22"
更新
感谢@jordanm,我发现我可以通过 LoadBalancer 中的 loadBalancerSourceRanges 而不是 nginx 来限制所有端口的 IP 地址:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
externalTrafficPolicy: Local
type: LoadBalancer
loadBalancerIP: {{ .loadBalancerIp }}
selector:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: https
- name: sftp
port: 22
targetPort: sftp
loadBalancerSourceRanges:
{{ .ipAllowList }}
最佳答案
先来看这个问题:ip-whitelist-support .
IPs are not whitelisted for TCP services, an alternative would be to create a separate firewall for the TCP services and whitelist the IPs at the firewall level.
具体位置{{ $path }}我们已经定义 {{ if isLocationAllowed $location }} .
查看官方 Ingress 文档:ingress-kubernetes .
Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource.
An Ingress does not expose arbitrary ports or protocols. Exposing services other than HTTP and HTTPS to the internet typically uses a service of type Service.Type=NodePort or Service.Type=LoadBalancer.
You must have an Ingress controller to satisfy an Ingress. Only creating an Ingress resource has no effect.
在这种情况下 Ingress 资源工具 ingress-controller 如何处理 http/https 请求。在这种方法中,nginx-ingress Controller 作为软件(引入第 7 层功能/负载平衡)。
如果您对 nginx ingress tcp 支持感兴趣:
Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags --tcp-services-configmap and --udp-services-configmap
如果您想在使用您的 tcp 服务时检查更精细的配置,您应该考虑使用您的云提供商提供的 L4 负载平衡/防火墙设置。
关于nginx - 如何将 nginx 入口自定义端口列入白名单,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66711851/