Using the Nginx Ingress Controller, we would like to expose different paths of a Kubernetes service, with different security requirements.
/ is open to the public
/white-list only allows connections from a specific IP Address
/need-key requires an API key
I'm running in AWS EKS. Kubernetes version is as follows:v1.12.6-eks-d69f1b.
If we use Annotations, they apply to the entire service. Ideally I would like to apply an Annotation only to a path.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myServiceA
annotations:
# use the shared ingress-nginx
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myServiceA.foo.org
http:
paths:
- path: /
backend:
serviceName: myServiceA
servicePort: 80
- path: /white-list
backend:
serviceName: myServiceA
servicePort: 80
**NEED SOMETHING HERE TO WHITELIST**
- path: /need-key
backend:
serviceName: myServiceA
servicePort: 80
**NEED SOMETHING HERE TO USE API-KEY**The results I've been having end up applying to all the paths. I can live without API-Key as I can code that out, but ideally, I'd rather have it managed outside of the container.
Has anyone accomplished this with NGINX Ingress controller?
To apply annotation for each path, you could write one ingress rule for each path you want to apply. Nginx Ingress Controller will collect those ingress rules by itself and apply accordingly.
For example:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myServiceA-root
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: myServiceA.foo.org
http:
paths:
- path: /
backend:
serviceName: myServiceA
servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-myServiceA-white-list
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/whitelist-source-range: X.X.X.X/32
spec:
rules:
- host: myServiceA.foo.org
http:
paths:
- path: /white-list
backend:
serviceName: myServiceA
servicePort: 80
...