上周在调整K8S中某域名其中一段PATH的ingress白名单问题时,由于对ingress的白名单策略理解不充分导致错误配置,使白名单应用到全域名中造成整个域名403。
特此花时间研究一下整个ingress相关的配置。
参考文档:https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
问题配置:
nginx.ingress.kubernetes.io/server-snippet: |
set_real_ip_from 0.0.0.0/0;
real_ip_header RemoteIp;
real_ip_recursive on;
allow 1.2.3.4;
deny all;
语句分析:
先看下原文解释:Using the annotation nginx.ingress.kubernetes.io/server-snippet it is possible to add custom configuration in the server configuration block.
attention This annotation can be used only once per host.
意思使server-snippet的配置是添加在server的配置块的,而且只可以使用一次。而我在配置时,误以为将该配置应用于单个path的ingress即可局部生效,导致ingress起来后,该配置应用于域名全局,造成几乎100%的403错误。可谓危险。
-----
server-snippet其他配置分析:
例子一:apiVersion: networking.k8s.io/v1beta1
kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/server-snippet: | set $agentflag 0; if ($http_user_agent ~* "(Mobile)" ){ set $agentflag 1; } if ( $agentflag = 1 ) { return 301 https://m.example.com; }
在server全局块设置变量默认0,如果是移动请求,将请求变为1,同时跳转301至移动页面。
从整体上看,server-snippet里面的配置与常规的nginx无异,不过即使在单个ingress中应用,也会使域名全局生效。正确的配置应该是
nginx.ingress.kubernetes.io/configuration-snippet
Using this annotation you can add additional configuration to the NGINX location.
特别注意!!!在ingress中还有一个
nginx.ingress.kubernetes.io/whitelist-source-range
的配置,同样是白名单的设置,
Adding an annotation to an Ingress rule overrides any global restriction.
意思是这个设置也是全局性的,要千万注意。
-----
nginx.ingress.kubernetes.io其他配置分析:
nginx.ingress.kubernetes.io/app-root:根路径重定向
If the Application Root is exposed in a different path and needs to be redirected, set the annotationnginx.ingress.kubernetes.io/app-rootto redirect requests for/.
如果应用程序根在不同的路径中公开并且需要重定向,请设置注释重定向/的请求。
nginx.ingress.kubernetes.io/affinity:会话亲和性
The annotationnginx.ingreenables and sets the affinity type in all Upstreams of an Ingress
ss.kubernetes.io/affinity
The only affinity type available for NGINX iscookie. nginx-ingress的会话类型只能选择cookie。
nginx.ingress.kubernetes.io/affinity-mode:会话亲和性模式
The annotationnginx.ingress.kubernetes.io/affinity-modedefines the stickyness of a session. Setting this tobalanced(default) will redistribute some sessions if a deployment gets scaled up, therefore rebalancing the load on the servers. Setting this topersistentwill not rebalance sessions to new servers, therefore providing maximum stickyness.
俩种模式:balanced和persistent,balanced可以在pod扩展时将请求发送至新pod,persistent则保持最大的粘性,不会在有新扩展时发送给新pod。
nginx.ingress.kubernetes.io/auth-type: [basic|digest]nginx.ingress.kubernetes.io/auth-secret: secretName 添加验证
It is possible to add authentication by adding additional annotations in the Ingress rule. The source of the authentication is a secret that contains usernames and passwords.
nginx.ingress.kubernetes.io/auth-tls-secret: secretName
nginx.ingress.kubernetes.io/auth-tls-verify-depth
nginx.ingress.kubernetes.io/auth-tls-verify-client
nginx.ingress.kubernetes.io/auth-tls-error-page
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
添加证书认证
nginx.ingress.kubernetes.io/backend-protocol
Using backend-protocol annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces secure-backends in older versions) Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI
By default NGINX uses HTTP. 默认情况下后端默认使用http协议通信,也可以指定其他。
添加后端协议
nginx.ingress.kubernetes.io/canary
In some cases, you may want to "canary" a new set of changes by sending a small number of requests to a different service than the production service. The canary annotation enables the Ingress spec to act as an alternative service for requests to route to depending on the rules applied. The following annotations to configure canary can be enabled afternginx.ingress.kubernetes.io/canary: "true"is set:
可以使用canary模式将小部分流量导入canary的新服务用于测试,canary金丝雀指灰度版本的意思
nginx.ingress.kubernetes.io/client-body-buffer-size
Sets buffer size for reading client request body per location. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. This annotation is applied to each location provided in the ingress rule.
设置读取客户端请求正文的缓冲区大小,如客户端post或上传文件。
nginx.ingress.kubernetes.io/enable-cors: "true"
开启跨域支持
nginx.ingress.kubernetes.io/permanent-redirect
永久重定向至某域名
-----
还有更多的配置请见官方文档。