Kubernetes Ingress网络拒绝某些路径

Question

我有一个简单的kubernetes入口网络。

我需要拒绝访问一些关键路径，例如/ admin或其他。

我的入口网络文件如下所示。

 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
 name: ingress-test
 spec:
   rules:
   - host: host.host.com
   http:
      paths:
        - path: /service-mapping
      backend:
         serviceName: /service-mapping
         servicePort: 9042

如何使用kubernetes入口网络，nginx注释或其他方法拒绝自定义路径。

---

我通过如下所示的注释来处理此问题。

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
   name: nginx-configuration-snippet
   annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |

     server_tokens off;
     location DANGER-PATH {
    deny all;
    return 403;
  }

spec:
  rules:
   - host: api.myhost.com
   http:
  paths:
  - backend:
      serviceName: bookapi-2
      servicePort: 8080
    path: PATH 

Answer 1

我\xe2\x80\x99也遇到了同样的问题，并在github上找到了解决方案。\n为了实现你的目标，你需要先默认创建两个Ingress，没有任何限制：

\n\n

apiVersion: extensions/v1beta1\n kind: Ingress\n metadata:\n name: ingress-test\n spec:\n   rules:\n   - host: host.host.com\n   http:\n      paths:\n        - path: /service-mapping\n      backend:\n         serviceName: /service-mapping\n         servicePort: 9042\n

\n\n

然后，secret按照文档中的描述创建一个 for auth ：

\n\n

创建htpasswd

\n\n

$ htpasswd -c auth foo\nNew password: <bar>\nNew password:\nRe-type new password:\nAdding password for user foo\n

\n\n

创建secret：

\n\n

$ kubectl create secret generic basic-auth --from-file=auth\nsecret "basic-auth" created\n

\n\n

第二个 Ingress 需要对需要限制的路径进行身份验证：

\n\n

apiVersion: extensions/v1beta1\nkind: Ingress\nmetadata:\n  name: ingress-with-auth\n  annotations:\n    # type of authentication\n    nginx.ingress.kubernetes.io/auth-type: basic\n    # name of the secret that contains the user/password definitions\n    nginx.ingress.kubernetes.io/auth-secret: basic-auth\n    # message to display with an appropiate context why the authentication is required\n    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"\nspec:\n  rules:\n  - host: host.host.com\n    http:\n      paths:\n      - path: /admin\n        backend:\n          serviceName: service_name\n          servicePort: 80\n

\n\n

根据sedooe的回答，他的解决方案可能存在一些问题。

\n

Answer 2

复制 Kubernetes 的官方方法并使用defaultbackend始终返回 404 的容器。

apiVersion: apps/v1
kind: Deployment
metadata:
  name: defaultbackend
spec:
  selector:
    matchLabels:
      app: defaultbackend
  template:
    metadata:
      labels:
        app: defaultbackend
    spec:
      containers:
      - name: defaultbackend
        image: k8s.gcr.io/defaultbackend-amd64:1.5
        resources:
          requests:
            memory: 10M
            cpu: 5m
          limits:
            memory: 10M
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: defaultbackend
spec:
  selector:
    app: defaultbackend
  ports:
  - port: 80
    targetPort: 8080

然后在您的入口中添加一个paths条目：

      paths:
      - path: /
        backend:
          serviceName: my-real-service
          servicePort: 3000
      - path: /admin
        backend:
          serviceName: defaultbackend
          servicePort: 80

Answer 3

您可以使用服务器代码段注释。这似乎正是您想要实现的目标。