上周在調整K8S中某域名其中一段PATH的ingress白名單問題時,由於對ingress的白名單策略理解不充分導致錯誤配置,使白名單應用到全域名中造成整個域名403。
特此花時間研究一下整個ingress相關的配置。
參考文檔:https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
問題配置:
nginx.ingress.kubernetes.io/server-snippet: |
set_real_ip_from 0.0.0.0/0;
real_ip_header RemoteIp;
real_ip_recursive on;
allow 1.2.3.4;
deny all;
語句分析:
先看下原文解釋:Using the annotation nginx.ingress.kubernetes.io/server-snippet it is possible to add custom configuration in the server configuration block.
attention This annotation can be used only once per host.
意思使server-snippet的配置是添加在server的配置塊的,而且只可以使用一次。而我在配置時,誤以為將該配置應用於單個path的ingress即可局部生效,導致ingress起來后,該配置應用於域名全局,造成幾乎100%的403錯誤。可謂危險。
-----
server-snippet其他配置分析:
例子一:apiVersion: networking.k8s.io/v1beta1
kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/server-snippet: | set $agentflag 0; if ($http_user_agent ~* "(Mobile)" ){ set $agentflag 1; } if ( $agentflag = 1 ) { return 301 https://m.example.com; }
在server全局塊設置變量默認0,如果是移動請求,將請求變為1,同時跳轉301至移動頁面。
從整體上看,server-snippet里面的配置與常規的nginx無異,不過即使在單個ingress中應用,也會使域名全局生效。正確的配置應該是
nginx.ingress.kubernetes.io/configuration-snippet
Using this annotation you can add additional configuration to the NGINX location.
特別注意!!!在ingress中還有一個
nginx.ingress.kubernetes.io/whitelist-source-range
的配置,同樣是白名單的設置,
Adding an annotation to an Ingress rule overrides any global restriction.
意思是這個設置也是全局性的,要千萬注意。
-----
nginx.ingress.kubernetes.io其他配置分析:
nginx.ingress.kubernetes.io/app-root:根路徑重定向
If the Application Root is exposed in a different path and needs to be redirected, set the annotationnginx.ingress.kubernetes.io/app-rootto redirect requests for/.
如果應用程序根在不同的路徑中公開並且需要重定向,請設置注釋重定向/的請求。
nginx.ingress.kubernetes.io/affinity:會話親和性
The annotationnginx.ingreenables and sets the affinity type in all Upstreams of an Ingress
ss.kubernetes.io/affinity
The only affinity type available for NGINX iscookie. nginx-ingress的會話類型只能選擇cookie。
nginx.ingress.kubernetes.io/affinity-mode:會話親和性模式
The annotationnginx.ingress.kubernetes.io/affinity-modedefines the stickyness of a session. Setting this tobalanced(default) will redistribute some sessions if a deployment gets scaled up, therefore rebalancing the load on the servers. Setting this topersistentwill not rebalance sessions to new servers, therefore providing maximum stickyness.
倆種模式:balanced和persistent,balanced可以在pod擴展時將請求發送至新pod,persistent則保持最大的粘性,不會在有新擴展時發送給新pod。
nginx.ingress.kubernetes.io/auth-type: [basic|digest]nginx.ingress.kubernetes.io/auth-secret: secretName 添加驗證
It is possible to add authentication by adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords.
nginx.ingress.kubernetes.io/auth-tls-secret: secretName
nginx.ingress.kubernetes.io/auth-tls-verify-depth
nginx.ingress.kubernetes.io/auth-tls-verify-client
nginx.ingress.kubernetes.io/auth-tls-error-page
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
添加證書認證
nginx.ingress.kubernetes.io/backend-protocol
Using backend-protocol annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces secure-backends in older versions) Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI
By default NGINX uses HTTP. 默認情況下后端默認使用http協議通信,也可以指定其他。
添加后端協議
nginx.ingress.kubernetes.io/canary
In some cases, you may want to "canary" a new set of changes by sending a small number of requests to a different service than the production service. The canary annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied. The following annotations to configure canary can be enabled afternginx.ingress.kubernetes.io/canary: "true"is set:
可以使用canary模式將小部分流量導入canary的新服務用於測試,canary金絲雀指灰度版本的意思
nginx.ingress.kubernetes.io/client-body-buffer-size
Sets buffer size for reading client request body per location. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. This annotation is applied to each location provided in the ingress rule.
設置讀取客戶端請求正文的緩沖區大小,如客戶端post或上傳文件。
nginx.ingress.kubernetes.io/enable-cors: "true"
開啟跨域支持
nginx.ingress.kubernetes.io/permanent-redirect
永久重定向至某域名
-----
還有更多的配置請見官方文檔。