Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kubernetes Ingress network deny some paths

I've a simple kubernetes ingress network.

I need deny the access some critical paths like /admin or etc.

My ingress network file shown as below.

 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
 name: ingress-test
 spec:
   rules:
   - host: host.host.com
   http:
      paths:
        - path: /service-mapping
      backend:
         serviceName: /service-mapping
         servicePort: 9042

How I can deny the custom path with kubernetes ingress network, with nginx annonations or another methods .


I handle this issue with annotations shown as below .

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
   name: nginx-configuration-snippet
   annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |

     server_tokens off;
     location DANGER-PATH {
    deny all;
    return 403;
  }

spec:
  rules:
   - host: api.myhost.com
   http:
  paths:
  - backend:
      serviceName: bookapi-2
      servicePort: 8080
    path: PATH 
like image 382
ColossusMark1 Avatar asked Aug 16 '18 10:08

ColossusMark1


People also ask

What is pathType in ingress?

pathType. The pathType field specifies one of three ways that an Ingress Object's path should be interpreted: ImplementationSpecific: Path prefix matching is delegated to the Ingress Controller (IngressClass). Exact: Matches the URL path exactly (case sensitive) Prefix: Matches based on a URL path prefix split by /.

What is rewrite target in ingress?

In this ingress definition, any characters captured by (. *) will be assigned to the placeholder $2 , which is then used as a parameter in the rewrite-target annotation. For example, the ingress definition above will result in the following rewrites: rewrite.bar.com/something rewrites to rewrite.bar.com/

Can Kubernetes have multiple ingress?

8.0, one can install multiple NGINX ingress controllers in a Kubernetes cluster. The optional NGINX Ingress Controller can be installed as an App on your cluster.


2 Answers

You can use server-snippet annotation. This seems like exactly what you want to achieve.

like image 68
sedooe Avatar answered Sep 29 '22 13:09

sedooe


I’ve faced the same issue and found the solution on github. To achieve your goal, you need to create two Ingresses first by default without any restriction:

apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
 name: ingress-test
 spec:
   rules:
   - host: host.host.com
   http:
      paths:
        - path: /service-mapping
      backend:
         serviceName: /service-mapping
         servicePort: 9042

Then, create a secret for auth as described in the doc:

Creating the htpasswd

$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo

Creating the secret:

$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created

Second Ingress with auth for paths which you need to restrict:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropiate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"
spec:
  rules:
  - host: host.host.com
    http:
      paths:
      - path: /admin
        backend:
          serviceName: service_name
          servicePort: 80

According to sedooe answer, his solution may have some issues.

like image 23
Nick Rak Avatar answered Sep 29 '22 12:09

Nick Rak