更新时间:2022-11-30 18:15:16
您可以通过配置Ingress和Cloud Armour :
切换到项目:
gcloud config set project $PROJECT
创建策略:
gcloud compute security-policies create $POLICY_NAME --description "whitelisting"
将默认策略更改为拒绝:
Change default policy to deny:
gcloud compute security-policies rules update 2147483647 --action=deny-403 \
--security-policy $POLICY_NAME
比默认白名单的优先级低,您要白名单的所有IP:
On lower priority than the default whitelist all IPs you want to whitelist:
gcloud compute security-policies rules create 2 \
--action allow \
--security-policy $POLICY_NAME \
--description "allow friends" \
--src-ip-ranges "93.184.17.0/24,151.101.1.69/32"
每个范围最多十个。
请注意,您需要有效的CIDR范围,为此您可以使用 CIDR到IP范围-> IP范围到CIDR 。
Note you need valid CIDR ranges, for that you can use CIDR to IP Range -> IP Range to CIDR.
按以下方式查看策略:
gcloud compute security-policies describe $POLICY_NAME
丢弃条目:
gcloud compute security-policies rules delete $PRIORITY --security-policy $POLICY_NAME
或完整策略:
gcloud compute security-policies delete $POLICY_NAME
创建 BackendConfig :
# File backendconfig.yaml:
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
namespace: <namespace>
name: <name>
spec:
securityPolicy:
name: $POLICY_NAME
$ kubectl apply -f backendconfig.yaml
backendconfig.cloud.google.com/backendconfig-name created
将BackendConfig添加到服务:
Add the BackendConfig to the Service:
metadata:
namespace: <namespace>
name: <service-name>
labels:
app: my-app
annotations:
cloud.google.com/backend-config: '{"ports": {"80":"backendconfig-name"}}'
spec:
type: NodePort
selector:
app: hello-app
ports:
- port: 80
protocol: TCP
targetPort: 8080
使用正确的选择器并指向服务的接收端口
Use the right selectors and point the receiving port of the Service to the BackendConfig created earlier.
现在Cloud Armor会将策略添加到GKE服务。
Now Cloud Armour will add the policy to the GKE service.
在 https://console.cloud.google.com/net-security/securitypolicies (选择 $ PROJECT )。