您可以通过配置Ingress和Cloud Armour ：

切换到项目：

gcloud config set project $PROJECT

创建策略：

gcloud compute security-policies create $POLICY_NAME --description "whitelisting"

将默认策略更改为拒绝：

Change default policy to deny:

gcloud compute security-policies rules update 2147483647 --action=deny-403 \ 
  --security-policy $POLICY_NAME

比默认白名单的优先级低，您要白名单的所有IP：

On lower priority than the default whitelist all IPs you want to whitelist:

gcloud compute security-policies rules create 2 \
  --action allow \
  --security-policy $POLICY_NAME \
  --description "allow friends" \
  --src-ip-ranges "93.184.17.0/24,151.101.1.69/32"

每个范围最多十个。

请注意，您需要有效的CIDR范围，为此您可以使用 CIDR到IP范围-> IP范围到CIDR 。

Note you need valid CIDR ranges, for that you can use CIDR to IP Range -> IP Range to CIDR.

按以下方式查看策略：

gcloud compute security-policies describe $POLICY_NAME

丢弃条目：

gcloud compute security-policies rules delete $PRIORITY --security-policy $POLICY_NAME

或完整策略：

gcloud compute security-policies delete $POLICY_NAME

创建 BackendConfig ：

# File backendconfig.yaml:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  namespace: <namespace>
  name: <name>
spec:
  securityPolicy:
    name: $POLICY_NAME

$ kubectl apply -f backendconfig.yaml
backendconfig.cloud.google.com/backendconfig-name created

将BackendConfig添加到服务：

Add the BackendConfig to the Service:

metadata:
  namespace: <namespace>
  name: <service-name>
  labels:
    app: my-app
  annotations:
    cloud.google.com/backend-config: '{"ports": {"80":"backendconfig-name"}}'
spec:
  type: NodePort
  selector:
    app: hello-app
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080

使用正确的选择器并指向服务的接收端口

Use the right selectors and point the receiving port of the Service to the BackendConfig created earlier.

现在Cloud Armor会将策略添加到GKE服务。

Now Cloud Armour will add the policy to the GKE service.

在 https://console.cloud.google.com/net-security/securitypolicies （选择 $ PROJECT ）。