limit_except in kubernetes-nginx is not working

2/22/2021

I have configured nginx-ingress-controller in kubernetes and I am trying to achieve method based routing from kubernetes.

This is my ingress.yaml file below:

kind: Ingress
metadata:
  name: cafe-ingress-with-annotations
  annotations:
    kubernetes.io/ingress.class: "nginx"
    #nginx.ingress.kubernetes.io/use-regex: "true"
    #nginx.ingress.kubernetes.io/app-root: /
    #nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location /tea {
         limit_except GET {
            deny all;
         }
      }
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

according to the annotation defined it is supposed to block all other methods like POST/DELETE...etc except GET method. But it is not denying any of the methods. Please help me how can I achieve method based routing using limit_except in nginx. Thanks in advance.

-- bunny
kubernetes
nginx
nginx-ingress

1 Answer

3/11/2021

As you can read in here, the configuration-snippet annotation is used for adding an additional configuration to the NGINX location.

If you want to add custom locations in the server block, you need to use server-snippet annotation. As you can read here:

Using the annotation nginx.ingress.kubernetes.io/server-snippet it is possible to add custom configuration in the server configuration block.

The following Ingress manifest should work:

kind: Ingress
metadata:
  name: cafe-ingress-with-annotations
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/server-snippet: |
      location /tea {
         limit_except GET {
            deny all;
         }
      }
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80
-- mario
Source: StackOverflow