Kubernetes-ingress: Restrict access to /admin location

Created on 1 Aug 2017  路  2Comments  路  Source: nginxinc/kubernetes-ingress

Hello.

I need to restrict access by ip to /admin location.
Is there a way to include file with allow/deny directives only in /admin location ?
Or add allow/deny directives in admin location only?
allow 1.1.1.1;
deny all;

apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    name: example-ingress
  spec:   
    rules:
    - host: dev.example.com
      http:   
        paths:    
        - backend:
            serviceName: test-service
            servicePort: 80
          path: / 
        - backend:
            serviceName: test-service
            servicePort: 80
          path: /admin
    tls:
    - hosts:
      - dev.example.com
      secretName: https-example

Thank you.

Most helpful comment

@pleshakov
Thank you !

I don't want to build ingress with custom template, so I chose another way with server-snippets.
But look like in the future I will have to make a custom template

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.org/server-snippets: |-
      location /admin {
          allow x.x.x.x;
          deny all;

          proxy_http_version 1.1;
          proxy_redirect off;
          proxy_intercept_errors on;
          proxy_set_header Connection "";
          proxy_set_header X-CF-Visitor $http_cf_visitor;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Port $server_port;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_pass http://devns-quests-ingress-dev.example.com-some-service;
      }

All 2 comments

@Sarga
Unfortunately, there is no way to include that for the /admin location using annotations.

However, It is possible to add some conditional logic to the template file. For example, the following code generates <your-nginx-directives> only for /admin locations:

{{if eq $location.Path "/admin"}}
<your-nginx-directives>
{{end}}

@pleshakov
Thank you !

I don't want to build ingress with custom template, so I chose another way with server-snippets.
But look like in the future I will have to make a custom template

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.org/server-snippets: |-
      location /admin {
          allow x.x.x.x;
          deny all;

          proxy_http_version 1.1;
          proxy_redirect off;
          proxy_intercept_errors on;
          proxy_set_header Connection "";
          proxy_set_header X-CF-Visitor $http_cf_visitor;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Port $server_port;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_pass http://devns-quests-ingress-dev.example.com-some-service;
      }
Was this page helpful?
0 / 5 - 0 ratings