一、Ingress-nginx黑白名单¶
场景:
1、对外暴露的核心接口只允许特定的IP地址访问(对公合作);
2、财务应用只允许特定IP段访问(内网限制);
注意点:
- Annotations:只对指定svc的Ingress生效;
- ConfigMap:全局生效;
- 黑名单可以使用ConfigMap去配置,白名单建议使用Annotations去配置。
- 白名单是默认是拒绝所有,只允许一个地址去访问;
- 黑名单是不允许该地址去访问所有;
- 若是同时配置了Annotations和configmap,一般都是annotations生效, configmap不生效,因为annotations优先级比configmap高;
1.1 白名单¶
1.1.1 针对具体IP¶
针对具体IP进行操作,主要增加如下内容
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.60
完整配置文件
# 编写ingress
[root@master01 6]# vim ingress-nginx-whitelist-ip.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: java-ingress-nginx
namespace: default
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.60
spec:
ingressClassName: nginx
rules:
- host: java.zhang-qing.com
http:
paths:
- pathType: Prefix
backend:
service:
name: springboot
port:
number: 8080
path: /
#应用
[root@master01 6]# kaf ingress-nginx-whitelist-ip.yaml
测试:
# 在10.0.0.61主机上进行测试,观察到403
[root@master01 6]# curl -i -k http://java.zhang-qing.com/appone
HTTP/1.1 403 Forbidden
Date: Mon, 07 Apr 2025 05:19:35 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
# 在10.0.0.60主机上进行测试,观察到访问成功
[root@master01 6]# curl -i -k http://java.zhang-qing.com/appone
HTTP/1.1 200
Date: Mon, 07 Apr 2025 05:19:22 GMT
Content-Type: application/json
Content-Length: 6
Connection: keep-alive
环境清理
[root@master01 6]# k delete -f ingress-nginx-whitelist-ip.yaml
1.1.2 针对IP网段¶
针对网段进行白名单操作:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24,192.168.10.1
完整配置文件
# 编写ingress
[root@master01 6]# vim ingress-nginx-whitelist-ipsub.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: java-ingress-nginx
namespace: default
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24,192.168.10.1
spec:
ingressClassName: nginx
rules:
- host: java.zhang-qing.com
http:
paths:
- pathType: Prefix
backend:
service:
name: springboot
port:
number: 8080
path: /
#应用
[root@master01 6]# kaf ingress-nginx-whitelist-ipsub.yaml
测试:
# 在10.0.0.61主机上进行测试,观察到访问成功
[root@master01 6]# curl -i -k http://java.zhang-qing.com/appone
HTTP/1.1 200
Date: Mon, 07 Apr 2025 05:24:32 GMT
Content-Type: application/json
Content-Length: 6
Connection: keep-alive
配置到ConfigMap中(操作前,先将当前的configmap备份):
# 备份
[root@master01 6]# kg cm -ningress-nginx ingress-nginx-controller -oyaml > ingress-nginx-controller.yaml
# 配置白名单
[root@master01 6]# vim ingress-nginx-whitelist-all.yaml
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: ingress-nginx
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.7.0
helm.sh/chart: ingress-nginx-4.6.0
name: ingress-nginx-controller
namespace: ingress-nginx
data:
whitelist-source-range: 10.1.10.0/24
# 应用
[root@master01 ~]# kaf ingress-nginx-whitelist-all.yaml
问题:一旦应用如上规则,再次访问 http://java.zhang-qing.com/appone 是200还是403?
# 观察到返回200,说明annotations优先级比configmap高
[root@master01 6]# curl http://java.zhang-qing.com/appone -I
HTTP/1.1 200
Date: Thu, 10 Apr 2025 06:52:07 GMT
Content-Type: application/json
Content-Length: 6
Connection: keep-alive
环境清理
#清理无用资源
[root@master01 6]# k delete -f ingress-nginx-whitelist-all.yaml -f ingress-nginx-whitelist-ipsub.yaml
#还原cm配置信息
[root@master01 6]# kaf ingress-nginx-controller.yaml -n ingress-nginx
1.2 黑名单¶
annotation配置:
# 编写yaml
[root@master01 6]# vim ingress-nginx-blacklist-all.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: java-ingress-nginx
namespace: default
annotations:
nginx.ingress.kubernetes.io/server-snippet: |-
deny 10.0.0.60;
allow all;
spec:
ingressClassName: nginx
rules:
- host: java.zhang-qing.com
http:
paths:
- pathType: Prefix
backend:
service:
name: springboot
port:
number: 8080
path: /
# 应用yaml
[root@master01 6]# kaf ingress-nginx-blacklist-all.yaml
测试:
#在10.0.0.60主机上进行访问
[root@master01 6]# curl -i -k http://java.zhang-qing.com/appone
HTTP/1.1 403 Forbidden
#更换节点(非10.0.0.60主机)访问
[root@master01 6]# curl -i -k http://java.zhang-qing.com/appone
HTTP/1.1 200
环境清理
[root@master01 6]# k delete -f ingress-nginx-blacklist-all.yaml
ConfigMap配置如下:
# 备份
[root@master01 6]# kg cm -ningress-nginx ingress-nginx-controller -oyaml > ingress-nginx-controller.yaml
# 编写cm
[root@master01 6]# vim ingress-nginx-blacklist-cm.yaml
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: ingress-nginx
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.7.0
helm.sh/chart: ingress-nginx-4.6.0
name: ingress-nginx-controller
namespace: ingress-nginx
data:
whitelist-source-range: 10.0.0.0/24
block-cidrs: 10.0.0.60/32
不同 IP 请求的处理结果
- IP 地址在白名单但不在黑名单:例如 10.0.0.10,由于它在白名单 10.0.0.0/24 范围内,且不在黑名单 10.0.0.60/32 中,所以这个 IP 的请求会被允许。
- IP 地址既在白名单又在黑名单:如 10.0.0.60,虽然它在白名单 10.0.0.0/24 内,但同时也在黑名单 10.0.0.60/32 中,那么这个 IP 的请求会被拒绝。
- IP 地址不在白名单:像 10.0.1.10,因为不在白名单 10.0.0.0/24 范围内,不管是否在黑名单中,该 IP 的请求都会被直接拒绝。
环境清理:
[root@master01 6]# k delete -f ingress-nginx-blacklist-cm.yaml; kaf ingress-nginx-controller.yaml