问题
Is there way to setup access to Cloud Run services via whitelisted IP addresses?
I could not find in documentation beside this Authentication overview
回答1:
When you deploy a Cloud Run in private mode, the requester have to request the endpoint with a bearer token. This token is checked by Google Front End (GFE), also in charge of managing SSL certificate for example, and it has to reference an account (member, group or service account) that have the role run.invoker on the Cloud Run service.
If you grant this role to AllUsers, the service switch from private to public and anybody can call it without any authentication.
That is for the behavior of Cloud Run, and as you can't customize GFE, IP filtering is not possible directly. You have to add an additional component for performing this filter.
With Cloud Run for Anthos (as propose by Kolban) you can set firewall rules and thus you can perform filtering. But you aren't in the serverless world, you have to manage your cluster, your nodes, your firewall rules, your load balancer,...
Last thing, one of advice of Google is: don't trust the network. Because it's easy to steal and IP address (I don't know how, but for Google it's obvious!!). If you can avoid any infrastructure dependency, it's better!
来源:https://stackoverflow.com/questions/59517036/is-there-way-white-list-ip-addresses-to-access-cloud-run-services