1

i'm trying to config my ingress controller to allow only GET method on it , i saw there is a cors config that i can use to do that , but no idea why it doesn't work here my config :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-elasticsearch-service
  namespace: my-application-namespace
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://my-host.com"
spec:
  tls:
  - hosts:
    - my-host.com
    secretName: my-ingress-secret
  rules:
  - host: my-host.com
    http:
      paths:
      - path: /elasticsearch/(.+)
        pathType: Prefix
        backend:
          service:
            name: elasticsearch-service
            port:
              number: 9200

as you guess i'm trying to expose an elasticsearch but only the get method so my frontend can use it directly .

Another option i saw is that it's possible to config nginx with "nginx.ingress.kubernetes.io/server-snippet" like the following (from documentation ) :


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
        set $agentflag 0;

        if ($http_user_agent ~* "(Mobile)" ){
          set $agentflag 1;
        }

        if ( $agentflag = 1 ) {
          return 301 https://m.example.com;
        }

i've tried both config i put this in annotations :

nginx.ingress.kubernetes.io/server-snippet: |
      location ~* "^/elasticsearch/(.+)" {
          if ($request_method != GET) {
            return 403;
          }
        }

but my entire elasticsearch GET route went into a 404 for some reason , not sure why . but the other HTTP method return a 403 .

Anyone got an idea on how can i achieve this properly ?

Thanks .

kevP-Sirius
  • 93
  • 1
  • 9

2 Answers2

2

Solved finally , i used the wrong snippet i had to use configuration-snippet instead of server-snippet and without the location condition because it was overwriting the kubernetes config and i couldnt reproduce the way kubernetes redirect inside my location .

As a result the final solution look like the following :

 nginx.ingress.kubernetes.io/configuration-snippet: |
      
          if ($request_method != GET) {
            return 403;
          }
kevP-Sirius
  • 93
  • 1
  • 9
1

I wanted to add that, after trying multiple solutions for blocking paths/methods in Kubernetes with Ingress-Nginx, kevP-Sirius's solution is what worked best for me. However one limit is not blocking specific URLs. I would suggest using 3 Ifs for blocking specific paths with specific methods.

For example:

  if ($request_uri ~* "^/api/database") {
    set $blocked_path  "bad path"; 
  }
  if ($request_method != GET) {
    set $blocked_path  "${blocked_path} and method"; 
  }
  if ($blocked_path = "bad path and method") {
    return 405 "Error: deprecated endpoint";
  }

This example blocks path /api/database with any method that is not GET. Also consider that you can chain multiple URLs using Regex like this:

/api/(first|path/second)

This matches for /api/first and /api/path/second.

Adrian Mole
  • 49,934
  • 160
  • 51
  • 83
Ezra
  • 11
  • 1