0

I wanted to create an nginx ingress which allows only few paths for users to connect and rest all block or provide an 403 error. Any way to achieve that ?

I only wanted users to allow to connect "/code-refiner/", /v1/unsubscribed/* and rest all should be blocked.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: code-refiner-service-ingress-external
  namespace: backend
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    kubernetes.io/ingress.class: nginx-external
spec:
  rules:
  - host: code-refiner.example.com
    http:
      paths:
      - backend:
          service:
             name: code-refiner-service
             port:
               number: 80
        path: /
        pathType: Prefix

I need to achieve something like this

location /* {
       deny all;
      }

location /code-refiner/ or /v1/unsubscribed/{
            allow all;
      }
Rocky
  • 75
  • 1
  • 1
  • 7

1 Answers1

0

As per this git link, you can create two Ingress and only add the annotations to the ingress with the path you want to protect

  1. For your issues create two Ingresses first by default without any restriction.
  2. Then, create a secret for auth as described in the doc.(Create a htpasswd and secret)

Creating the htpasswd

$ htpasswd -c auth foo 
New password: <bar> 
New password: \
Re-type new password: 
Adding password for user foo

Creating the secret:

 kubectl create secret generic basic-auth --from-file=auth secret

3.Second Ingress with auth for paths which you need to restrict.

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/rewrite-target: /
kubernetes.io/tls-acme: true
# type of authentication
ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropiate context why the authentication is required
ingress.kubernetes.io/auth-realm: "Authentication Required - foo"
# Below configuration-snippet is to pass on the authenticated user-name to serviceB
ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-AUTH-USER $remote_user;
name: my-nginx-ingress-auth
spec:
tls:    
     hosts:
          myhost
          secretName: mysecret
          rules:
     host: myhost
     http:
     paths:
         path: /serviceB/
         backend:
         serviceName: serviceB-service
         servicePort: 7070

For your reference adding these stack links [1] [2].

Second one is with usage of ConfigMaps and Server-snippet:

What you have to do is to locate your configMap:

kubectl get pod <nginx-ingress-controller> -o yaml

This is located the container args:

spec:
      containers:
       - args:
              - /nginx-ingress-controller
               - configmap=$(POD_NAMESPACE)/nginx-loadbalancer-conf

And then just edit it and place add the server-snippet part

apiVersion: v1 
data: server-snippet:  | 
location /admin-access { 
deny all; 
}

This approach allows you to define restricted locations globally for all hosts defined in Ingress resource.

Please note that with usage of server-snippet the path that you are blocking cannot be defined in ingress resource object. There is however another way with location-snippet via ConfigMap:

location ~* "^/web/admin { 
deny all; 
}

With this for every existing path in ingress object there will be ingress rule but it will be blocked for specific uri (In the example above it will be blocked when admin will appear after web). All of the other uri will be passed through.

Sai Chandra Gadde
  • 2,242
  • 1
  • 3
  • 15