github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/access-control/README.md

github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/access-control/README.md (about)

     1  # Access Control
     2  
     3  In this example, we deploy a web application; configure load balancing for it via a VirtualServer; and apply access control policies to deny and allow traffic from a specific subnet.
     4  
     5  ## Prerequisites
     6  
     7  1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
     8  1. Save the public IP address of the Ingress Controller into a shell variable:
     9      ```
    10      $ IC_IP=XXX.YYY.ZZZ.III
    11      ```
    12  1. Save the HTTP port of the Ingress Controller into a shell variable:
    13      ```
    14      $ IC_HTTP_PORT=<port number>
    15      ```
    16  
    17  ## Step 1 - Deploy a Web Application
    18  
    19  Create the application deployment and service:
    20  ```
    21  $ kubectl apply -f webapp.yaml
    22  ```
    23  
    24  ## Step 2 - Deploy an Access Control Policy
    25  
    26  In this step, we create a policy with the name `webapp-policy` that denies requests from clients with an IP that belongs to the subnet `10.0.0.0/8`. This is the subnet that our test client in Steps 4 and 6 will belong to. Make sure to change the `deny` field of the `access-control-policy-deny.yaml` according to your environment (use the subnet of your machine).
    27  
    28  Create the policy:
    29  ```
    30  $ kubectl apply -f access-control-policy-deny.yaml
    31  ```
    32  
    33  ## Step 3 - Configure Load Balancing
    34  
    35  Create a VirtualServer resource for the web application:
    36  ```
    37  $ kubectl apply -f virtual-server.yaml
    38  ```
    39  
    40  Note that the VirtualServer references the policy `webapp-policy` created in Step 2.
    41  
    42  ## Step 4 - Test the Configuration
    43  
    44  Let's access the application:
    45  ```
    46  $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
    47  <html>
    48  <head><title>403 Forbidden</title></head>
    49  <body>
    50  <center><h1>403 Forbidden</h1></center>
    51  <hr><center>nginx/1.17.9</center>
    52  </body>
    53  </html>
    54  ```
    55  
    56  We got a 403 response from NGINX, which means that our policy successfully blocked our request. 
    57  
    58  ## Step 5 - Update the Policy
    59  
    60  In this step, we update the policy to allow requests from clients from the subnet `10.0.0.0/8`. Make sure to change the `allow` field of the `access-control-policy-allow.yaml` according to your environment. 
    61  
    62  Update the policy:
    63  ```
    64  $ kubectl apply -f access-control-policy-allow.yaml
    65  ```
    66  
    67  ## Step 6 - Test the Configuration
    68  
    69  Let's access the application again:
    70  ```
    71  $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
    72  Server address: 10.64.0.13:8080
    73  Server name: webapp-5cbbc7bd78-wf85w
    74  ```
    75  
    76  In contrast with Step 4, we got a 200 response, which means that our updated policy successfully allowed our request.