一、局部配置黑名单¶
1.配置黑名单禁止某一个或某一段IP,将10.0.0.20(多个配置使用逗号分隔)添加至黑名单
[root@k8s-master01 ~]# vim ip-denylist-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/denylist-source-range: 10.0.0.20
name: nginx-ingress
namespace: study-ingress
spec:
ingressClassName: nginx # for k8s >= 1.22+
rules:
- host: auth.test.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
说明:auth.test.com不是第三方域名,属于自定义的。所以需要在下面hosts文件中添加解析
2.创建ingress
[root@k8s-master01 ~]# kaf ip-denylist-ingress.yaml
3.在10.0.0.20、10.0.0.21主机上添加hosts解析
# 10.0.0.20主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
# 10.0.0.21主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
4.在10.0.0.20、10.0.0.21主机上分别进行访问测试,观察到只有10.0.0.21可以成功访问
# 10.0.0.20主机上访问测试,因为配置了黑名单,访问失败
[root@k8s-master01 day012]# curl auth.test.com -I
HTTP/1.1 403 Forbidden
Date: Wed, 19 Mar 2025 07:08:32 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
# 10.0.0.21主机上访问测试,测试成功
[root@k8s-node01 ~]# curl auth.test.com -I
HTTP/1.1 200 OK
Date: Wed, 19 Mar 2025 07:05:58 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Wed, 10 Apr 2019 01:08:42 GMT
ETag: "5cad421a-264"
Accept-Ranges: bytes
5.环境复原
[root@k8s-master01 ~]# k delete -f ip-denylist-ingress.yaml
二、局部配置白名单¶
白名单表示只允许某个 IP 可以访问,直接在 yaml 文件中配置即可(也可以通过 ConfigMap 配置),比如只允许10.0.0.20 访问,只需要添加一个 nginx.ingress.kubernetes.io/whitelistsource-range 注释即可。
1.配置白名只允许某一个或某一段IP,将10.0.0.20(多个配置使用逗号分隔)添加至白名单
[root@k8s-master01 ~]# vim ip-allowlist-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.20
name: nginx-ingress
namespace: study-ingress
spec:
ingressClassName: nginx # for k8s >= 1.22+
rules:
- host: auth.test.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
说明:auth.test.com不是第三方域名,属于自定义的。所以需要在下面hosts文件中添加解析
2.创建ingress
[root@k8s-master01 ~]# kaf ip-allowlist-ingress.yaml
3.在10.0.0.20、10.0.0.21主机上添加hosts解析
# 10.0.0.20主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
# 10.0.0.21主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
4.在10.0.0.20、10.0.0.21主机上分别进行访问测试,观察到只有10.0.0.21可以成功访问
# 10.0.0.20主机上访问测试,因为配置了白名单,访问成功
[root@k8s-master01 day012]# curl auth.test.com -I
HTTP/1.1 200 OK
Date: Wed, 19 Mar 2025 07:14:07 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Wed, 10 Apr 2019 01:08:42 GMT
ETag: "5cad421a-264"
Accept-Ranges: bytes
# 10.0.0.21主机上访问测试,测试失败
[root@k8s-node01 ~]# curl auth.test.com -I
HTTP/1.1 403 Forbidden
Date: Wed, 19 Mar 2025 07:14:23 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
5.环境复原
[root@k8s-master01 ~]# k delete -f ip-allowlist-ingress.yaml
三、全局配置黑名单¶
Ingress-nginx 支持全局的黑白名单(白名单慎用),只需要在 ingress nginx 的配置文件中添 加即可,添加后无需重启 Controller ,加一个全局黑名单:
1、修改configmap配置文件,限制10.0.0.20主机访问
[root@k8s-master01 ~]# kg cm -n ingress-nginx | grep ingress
ingress-nginx-controller 2 4h19m
# 在data字段下添加denylist-source-range: 10.0.0.20内容即可
[root@k8s-master01 ~]# k edit cm ingress-nginx-controller -n ingress-nginx
...
...
data:
allow-snippet-annotations: "true"
annotations-risk-level: Critical
denylist-source-range: 10.0.0.20
...
...
2、新增一个测试ingress
[root@k8s-master01 ~]# vim ip-denylist-ingress-test.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
namespace: study-ingress
spec:
ingressClassName: nginx # for k8s >= 1.22+
rules:
- host: auth.test.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
# 创建ingress
[root@k8s-master01 ~]# kaf ip-denylist-ingress-test.yaml
3、在10.0.0.20、10.0.0.21主机上添加hosts解析
# 10.0.0.20主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
# 10.0.0.21主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
4、在10.0.0.20、10.0.0.21主机上分别进行访问测试,观察到只有10.0.0.21可以成功访问
# 10.0.0.20主机上访问测试,因为配置了全局黑名单,访问所有的域名都会失败
[root@k8s-master01 day012]# curl auth.test.com -I
HTTP/1.1 403 Forbidden
Date: Wed, 19 Mar 2025 07:08:32 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
# 10.0.0.21主机上访问测试,测试成功
[root@k8s-node01 ~]# curl auth.test.com -I
HTTP/1.1 200 OK
Date: Wed, 19 Mar 2025 07:05:58 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Wed, 10 Apr 2019 01:08:42 GMT
ETag: "5cad421a-264"
Accept-Ranges: bytes
5、环境复原
[root@k8s-master01 ~]# k delete -f ip-denylist-ingress-test.yaml
四、全局配置白名单¶
1、修改configmap配置文件,只允许10.0.0.20主机访问
[root@k8s-master01 ~]# kg cm -n ingress-nginx | grep ingress
ingress-nginx-controller 2 4h19m
# 在data字段下添加denylist-source-range: 10.0.0.20内容即可
[root@k8s-master01 ~]# k edit cm ingress-nginx-controller -n ingress-nginx
...
...
data:
allow-snippet-annotations: "true"
annotations-risk-level: Critical
whitelist-source-range: 10.0.0.20
...
...
2、新增一个测试ingress
[root@k8s-master01 ~]# vim ip-allowlist-ingress-test.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-ingress
namespace: study-ingress
spec:
ingressClassName: nginx # for k8s >= 1.22+
rules:
- host: auth.test.com
http:
paths:
- backend:
service:
name: nginx
port:
number: 80
path: /
pathType: ImplementationSpecific
# 创建ingress
[root@k8s-master01 ~]# kaf ip-allowlist-ingress-test.yaml
3、在10.0.0.20、10.0.0.21主机上添加hosts解析
# 10.0.0.20主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
# 10.0.0.21主机添加
echo "10.0.0.22 auth.test.com" >> /etc/hosts
4、在10.0.0.20、10.0.0.21主机上分别进行访问测试,观察到只有10.0.0.21可以成功访问
# 10.0.0.20主机上访问测试,因为全局配置了白名单,访问成功
[root@k8s-master01 day012]# curl auth.test.com -I
HTTP/1.1 200 OK
Date: Wed, 19 Mar 2025 07:14:07 GMT
Content-Type: text/html
Content-Length: 612
Connection: keep-alive
Last-Modified: Wed, 10 Apr 2019 01:08:42 GMT
ETag: "5cad421a-264"
Accept-Ranges: bytes
# 10.0.0.21主机上访问测试,测试失败
[root@k8s-node01 ~]# curl auth.test.com -I
HTTP/1.1 403 Forbidden
Date: Wed, 19 Mar 2025 07:14:23 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
5、环境复原
[root@k8s-master01 ~]# k delete -f ip-allowlist-ingress-test.yaml