我在 GKE 集群中的 nginx 入口控制器后面有一个后端应用程序,我想将某个 IP 列入白名单以仅访问它。我在关联的入口中添加了此注释:
nginx.ingress.kubernetes.io/whitelist-source-range: "my-ip/32"
我也在入口控制器服务中进行了externalTrafficPolicy设置。Local
问题是,当我打开应用程序时,它总是返回403 Forbidden
,并且在入口控制器日志中,当我打开应用程序时,它会记录,access forbidden by rule, client: 127.0.0.1, server: my-appliaction.domain.ext这意味着客户端 IP 未转发到入口控制器。我正在使用 GCP GKE。
我错过了什么?
提前致谢。
答案1
我使用了以下nginx配置图:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
name: ingress-nginx-controller
namespace: ingress-nginx
data:
allow-snippet-annotations: "true"
enable-real-ip: "true"
use-forwarded-headers: "true"
proxy-real-ip-cidr: "<pods_cidr>,<services_cidr>,<load_balance_ip>/32"
use-proxy-protocol: "false"
externalTrafficPolicy: Local并添加了声明nginx分配负载平衡的服务:
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalTrafficPolicy: Local
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: LoadBalancer
loadBalancerIP: <load_balance_ip>
然后我还配置了ip-masq-代理使用以下 ConfigMap:
apiVersion: v1
kind: ConfigMap
metadata:
name: ip-masq-agent
namespace: kube-system
data:
config: |
nonMasqueradeCIDRs:
- <load_balance_ip>/32
- <pods_cidr>
- <services_cidr>
masqLinkLocal: false
resyncInterval: 30s
因此,我删除了 DaemonSetip-masq-代理和克自动重新创建它。
之后,我得到了我的克nginx.ingress.kubernetes.io/whitelist-source-range集群按预期运行。并在 Ingress 上成功使用。
您可以找到有关以下方面的更多信息ip-masq-代理在克访问https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent