How to whitelist only one path in kubernetes nginx ingress controller

问题

Using the Nginx Ingress Controller, we would like to expose different paths of a Kubernetes service, with different security requirements.

/ is open to the public
/white-list only allows connections from a specific IP Address
/need-key requires an API key

I'm running in AWS EKS. Kubernetes version is as follows:v1.12.6-eks-d69f1b.

If we use Annotations, they apply to the entire service. Ideally I would like to apply an Annotation only to a path.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA
  annotations:
    # use the shared ingress-nginx
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /
        backend:
          serviceName: myServiceA
          servicePort: 80
      - path: /white-list
        backend:
          serviceName: myServiceA
          servicePort: 80
          **NEED SOMETHING HERE TO WHITELIST**
      - path: /need-key
        backend:
          serviceName: myServiceA
          servicePort: 80
          **NEED SOMETHING HERE TO USE API-KEY**

The results I've been having end up applying to all the paths. I can live without API-Key as I can code that out, but ideally, I'd rather have it managed outside of the container.

Has anyone accomplished this with NGINX Ingress controller?

回答1:

To apply annotation for each path, you could write one ingress rule for each path you want to apply. Nginx Ingress Controller will collect those ingress rules by itself and apply accordingly.

For example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA-root
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /
        backend:
          serviceName: myServiceA
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-myServiceA-white-list
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/whitelist-source-range: X.X.X.X/32
spec:
  rules:
  - host: myServiceA.foo.org
    http:
      paths:
      - path: /white-list
        backend:
          serviceName: myServiceA
          servicePort: 80
...

来源：https://stackoverflow.com/questions/56444440/how-to-whitelist-only-one-path-in-kubernetes-nginx-ingress-controller

标签

Kubernetes

nginx-ingress