|NO.Z.00355|——————————|CloudNative|——|KuberNetes&运维.V71|——|IngressNginx.v07|黑白名单|

一、IngressNginx黑白名单概述
### --- 配置方案

~~~     Annotations:只对指定的ingress生效
~~~     ConfigMap:全局生效
~~~     若是同时配置了Annotations和configmap,一般都是annotations生效,
~~~     configmap不生效,因为annotations优先级比configmap高
### --- 黑白名单的区别

~~~     白名单是默认是拒绝所有,只允许一个地址去访问
~~~     黑名单是不允许该地址去访问所有
### --- 黑白名单配置使用configmap还是annotations

~~~     黑名单可以使用ConfigMap去配置
~~~     白名单建议使用Annotations去配置。
### --- annotations官网地址:

~~~     https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
二、白名单配置
### --- 白名单配置;加入一个annotations就可以
~~~     在nginx-ingress配置文件加入annotations访问

[root@k8s-master01 rewrite]# vim nginx-ingress-white.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.1.11
  name: ingress-test-rewrite2-strl
  namespace: ratel-test1
spec:
  rules:
  - host: rewrite2.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /abc(/|$)(.*)
        pathType: ImplementationSpecific
### --- 查看创建的ingres-white

[root@k8s-master01 rewrite]# kubectl get ingress -n ratel-test1
NAME                         CLASS    HOSTS               ADDRESS         PORTS     AGE
ingress-test-rewrite2-strl   <none>   rewrite2.test.com   10.105.89.225   80        7m42s
三、通过浏览器访问:本地地址——>http://rewrite2.test.com/——>说明访问失败
四、通过192.168.1.11这台服务器访问
### --- 添加hosts地址

[root@k8s-master01 rewrite]# vim /etc/hosts
192.168.1.11 rewrite2.test.com
### --- 通过192.168.1.11访问 rewrite2.test.com
~~~     可以访问,因为白名单只添加了这一台主机的地址
~~~     恢复白名单配置参数

[root@k8s-master01 rewrite]# curl  rewrite2.test.com
<head><title>404 Not Found</title></head>
五、黑名单配置
### --- 黑名单配置

~~~     实验:使用configmap去拒绝一个IP地址的:配置nginx-configuration配置拒绝一个地址
~~~     ——>https://krm.test.com/ratel——>configmap——>Namespace:ingress-nginx
~~~     ——>ingress-nginx-controller——>编辑:添加——>Data名称:block-cidrs
~~~     ——>数据:192.168.1.11——>拒绝一个地址访问——>END
### --- 使用configmap配置黑名单拒绝某一个IP地址的访问yaml文件

[root@k8s-master01 rewrite]# cat ingress-nginx-controller.yaml
apiVersion: v1
data:
  block-cidrs: 192.168.1.11
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
    ratel.io/configMapLastVersion: "1"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 0.40.2
    helm.sh/chart: ingress-nginx-3.6.0
  name: ingress-nginx-controller
  namespace: ingress-nginx
### --- 更新ingress-nginx-controller

[root@k8s-master01 rewrite]# kubectl delete po -n ingress-nginx --all
pod "ingress-nginx-controller-9jkl7" deleted
pod "ingress-nginx-controller-j9psb" deleted
pod "ingress-nginx-controller-mvh2c" deleted
### --- 通过192.168.1.11访问配置过的IP地址:报错403
~~~     test-tls.test.com
~~~     rewrite2.test.com

[root@k8s-master01 rewrite]# curl rewrite2.test.com,是不可以访问的
<head><title>403 Forbidden</title></head>
[root@k8s-master01 rewrite]# curl test-tls.test.com
<head><title>308 Permanent Redirect</title></head>
### --- 通过本地电脑访问配置的域名:是可以访问的
~~~     说明是可以正常访问的

~~~     https://test-tls.test.com/          输出:Welcome to nginx!
~~~     http://rewrite2.test.com/           输出:404 Not Found
六、使用ingress-annotations配置黑名单配置
### --- 创建配置configmap配置文件

[root@k8s-master01 rewrite]# vim ingress-test-rewrite2-strip-path   
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/server-snippet: |-
      deny 192.168.1.15;
      allow all;
  name: ingress-test-rewrite2-strip-path
  namespace: ratel-test1
spec:
  rules:
  - host: rewrite2.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /abc(/|$)(.*)
### --- 通过黑名单192.168.1.15主机访问报错403是不可以访问的

[root@k8s-node02 ~]# curl rewrite2.test.com
<head><title>403 Forbidden</title></head>
~~~     # 通过192.168.1.11访问是404说明请求是可以请求的
[root@k8s-master01 rewrite]#  curl rewrite2.test.com
<head><title>404 Not Found</title></head>
    
~~~     # 这个没有拒绝的域名还是可以访问的
[root@k8s-node02 ~]# curl test-tls.test.com
<title>Welcome to nginx!</title>
 
 
 
 
 
 
 
 
 
Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart
                                                                                                                                                   ——W.S.Landor
 

 

posted on 2022-04-01 13:24  yanqi_vip  阅读(267)  评论(0)    收藏  举报

导航