---

[CloudNative：KuberNetes&運維.V71]                                                                      [Applications.KuberNetes] [|DevOps|k8s|k8s運維|**3節點.V1**|IngressNginx黑白名單|]

---

---

一、IngressNginx黑白名單概述

### --- 配置方案

~~~     Annotations：只對指定的ingress生效
~~~     ConfigMap：全域性生效
~~~     若是同時配置了Annotations和configmap，一般都是annotations生效，
~~~     configmap不生效，因為annotations優先順序比configmap高
 

### --- 黑白名單的區別

~~~     白名單是預設是拒絕所有，只允許一個地址去訪問
~~~     黑名單是不允許該地址去訪問所有

### --- 黑白名單配置使用configmap還是annotations

~~~     黑名單可以使用ConfigMap去配置
~~~     白名單建議使用Annotations去配置。

### --- annotations官網地址：

~~~     https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
 

二、白名單配置

### --- 白名單配置；加入一個annotations就可以
~~~     在nginx-ingress配置檔案加入annotations訪問

[root@k8s-master01 rewrite]# vim nginx-ingress-white.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/whitelist-source-range: 192.168.1.11
  name: ingress-test-rewrite2-strl
  namespace: ratel-test1
spec:
  rules:
  - host: rewrite2.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /abc(/|$)(.*)
        pathType: ImplementationSpecific
 

### --- 檢視建立的ingres-white

[root@k8s-master01 rewrite]# kubectl get ingress -n ratel-test1
NAME                         CLASS    HOSTS               ADDRESS         PORTS     AGE
ingress-test-rewrite2-strl   <none>   rewrite2.test.com   10.105.89.225   80        7m42s

三、通過瀏覽器訪問：本地地址——>http://rewrite2.test.com/——>說明訪問失敗 四、通過192.168.1.11這臺伺服器訪問

### --- 新增hosts地址

[root@k8s-master01 rewrite]# vim /etc/hosts
192.168.1.11 rewrite2.test.com

### --- 通過192.168.1.11訪問 rewrite2.test.com
~~~     可以訪問，因為白名單隻添加了這一臺主機的地址
~~~     恢復白名單配置引數

[root@k8s-master01 rewrite]# curl  rewrite2.test.com
<head><title>404 Not Found</title></head>

五、黑名單配置

### --- 黑名單配置

~~~     實驗：使用configmap去拒絕一個IP地址的：配置nginx-configuration配置拒絕一個地址
~~~     ——>https://krm.test.com/ratel——>configmap——>Namespace:ingress-nginx
~~~     ——>ingress-nginx-controller——>編輯：新增——>Data名稱：block-cidrs
~~~     ——>資料：192.168.1.11——>拒絕一個地址訪問——>END

### --- 使用configmap配置黑名單拒絕某一個IP地址的訪問yaml檔案

[root@k8s-master01 rewrite]# cat ingress-nginx-controller.yaml
apiVersion: v1
data:
  block-cidrs: 192.168.1.11
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: ingress-nginx
    meta.helm.sh/release-namespace: ingress-nginx
    ratel.io/configMapLastVersion: "1"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/version: 0.40.2
    helm.sh/chart: ingress-nginx-3.6.0
  name: ingress-nginx-controller
  namespace: ingress-nginx

### --- 更新ingress-nginx-controller

[root@k8s-master01 rewrite]# kubectl delete po -n ingress-nginx --all
pod "ingress-nginx-controller-9jkl7" deleted
pod "ingress-nginx-controller-j9psb" deleted
pod "ingress-nginx-controller-mvh2c" deleted

### --- 通過192.168.1.11訪問配置過的IP地址：報錯403
~~~     test-tls.test.com
~~~     rewrite2.test.com

[root@k8s-master01 rewrite]# curl rewrite2.test.com,是不可以訪問的
<head><title>403 Forbidden</title></head>
[root@k8s-master01 rewrite]# curl test-tls.test.com
<head><title>308 Permanent Redirect</title></head>

### --- 通過本地電腦訪問配置的域名：是可以訪問的
~~~     說明是可以正常訪問的

~~~     https://test-tls.test.com/          輸出：Welcome to nginx!
~~~     http://rewrite2.test.com/           輸出：404 Not Found

六、使用ingress-annotations配置黑名單配置

### --- 建立配置configmap配置檔案

[root@k8s-master01 rewrite]# vim ingress-test-rewrite2-strip-path   
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/server-snippet: |-
      deny 192.168.1.15;
      allow all;
  name: ingress-test-rewrite2-strip-path
  namespace: ratel-test1
spec:
  rules:
  - host: rewrite2.test.com
    http:
      paths:
      - backend:
          serviceName: ingress-test
          servicePort: 80
        path: /abc(/|$)(.*)

### --- 通過黑名單192.168.1.15主機訪問報錯403是不可以訪問的

[root@k8s-node02 ~]# curl rewrite2.test.com
<head><title>403 Forbidden</title></head>

~~~     # 通過192.168.1.11訪問是404說明請求是可以請求的
[root@k8s-master01 rewrite]#  curl rewrite2.test.com
<head><title>404 Not Found</title></head>
    
~~~     # 這個沒有拒絕的域名還是可以訪問的
[root@k8s-node02 ~]# curl test-tls.test.com
<title>Welcome to nginx!</title>

---

===============================END===============================

---

Walter Savage Landor:strove with none,for none was worth my strife.Nature I loved and, next to Nature, Art:I warm'd both hands before the fire of life.It sinks, and I am ready to depart                                                                                                                                                    ——W.S.Landor

---

來自為知筆記(Wiz)