-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate access control example to documentation website #6572
base: main
Are you sure you want to change the base?
Changes from all commits
23d2617
e8dda9a
fabb850
03da540
c1070a8
969ddf2
91387ef
56ca0c4
1db65ae
866d847
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,96 +1,3 @@ | ||
# Access Control | ||
# Deploy an Access Control policy | ||
|
||
In this example, we deploy a web application; configure load balancing for it via a VirtualServer; and apply access | ||
control policies to deny and allow traffic from a specific subnet. | ||
|
||
## Prerequisites | ||
|
||
1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) | ||
instructions to deploy the Ingress Controller. | ||
1. Save the public IP address of the Ingress Controller into a shell variable: | ||
|
||
```console | ||
IC_IP=XXX.YYY.ZZZ.III | ||
``` | ||
|
||
1. Save the HTTP port of the Ingress Controller into a shell variable: | ||
|
||
```console | ||
IC_HTTP_PORT=<port number> | ||
``` | ||
|
||
## Step 1 - Deploy a Web Application | ||
|
||
Create the application deployment and service: | ||
|
||
```console | ||
kubectl apply -f webapp.yaml | ||
``` | ||
|
||
## Step 2 - Deploy an Access Control Policy | ||
|
||
In this step, we create a policy with the name `webapp-policy` that denies requests from clients with an IP that belongs | ||
to the subnet `10.0.0.0/8`. This is the subnet that our test client in Steps 4 and 6 will belong to. Make sure to change | ||
the `deny` field of the `access-control-policy-deny.yaml` according to your environment (use the subnet of your | ||
machine). | ||
|
||
Create the policy: | ||
|
||
```console | ||
kubectl apply -f access-control-policy-deny.yaml | ||
``` | ||
|
||
## Step 3 - Configure Load Balancing | ||
|
||
Create a VirtualServer resource for the web application: | ||
|
||
```console | ||
kubectl apply -f virtual-server.yaml | ||
``` | ||
|
||
Note that the VirtualServer references the policy `webapp-policy` created in Step 2. | ||
|
||
## Step 4 - Test the Configuration | ||
|
||
Let's access the application: | ||
|
||
```console | ||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT | ||
``` | ||
|
||
```text | ||
<html> | ||
<head><title>403 Forbidden</title></head> | ||
<body> | ||
<center><h1>403 Forbidden</h1></center> | ||
</body> | ||
</html> | ||
``` | ||
|
||
We got a 403 response from NGINX, which means that our policy successfully blocked our request. | ||
|
||
## Step 5 - Update the Policy | ||
|
||
In this step, we update the policy to allow requests from clients from the subnet `10.0.0.0/8`. Make sure to change the | ||
`allow` field of the `access-control-policy-allow.yaml` according to your environment. | ||
|
||
Update the policy: | ||
|
||
```console | ||
kubectl apply -f access-control-policy-allow.yaml | ||
``` | ||
|
||
## Step 6 - Test the Configuration | ||
|
||
Let's access the application again: | ||
|
||
```console | ||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT | ||
``` | ||
|
||
```text | ||
Server address: 10.64.0.13:8080 | ||
Server name: webapp-5cbbc7bd78-wf85w | ||
``` | ||
|
||
In contrast with Step 4, we got a 200 response, which means that our updated policy successfully allowed our request. | ||
This is the example code used in the [Deploy an Access Control policy](https://docs.nginx.com/nginx-ingress-controller/configuration/access-control/) documentation. |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,122 @@ | ||||||
--- | ||||||
title: Deploy an Access Control policy | ||||||
weight: 900 | ||||||
toc: true | ||||||
docs: DOCS-000 | ||||||
--- | ||||||
|
||||||
This topic describes how to apply and update an Access Control policy with F5 NGINX Ingress Controller. | ||||||
|
||||||
It demonstrates this using an example application and a [VirtualServer custom resource]({{< ref "/configuration/virtualserver-and-virtualserverroute-resources.md" >}}) | ||||||
|
||||||
--- | ||||||
|
||||||
## Before you begin | ||||||
|
||||||
You should have a [working NGINX Ingress Controller]({{< ref "/installation/installing-nic/installation-with-helm.md" >}}) instance. | ||||||
|
||||||
For ease of use in shell commands, set two shell variables: | ||||||
|
||||||
1. The public IP address for your NGINX Ingress Controller instance. | ||||||
|
||||||
```shell | ||||||
IC_IP=<ip-address> | ||||||
``` | ||||||
|
||||||
2. The HTTP port of the same instance | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
```shell | ||||||
IC_HTTP_PORT=<port number> | ||||||
``` | ||||||
|
||||||
--- | ||||||
|
||||||
## Deploy the example application | ||||||
|
||||||
Create the file *webapp.yaml* with the following contents: | ||||||
|
||||||
{{< ghcode "https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/webapp.yaml" >}} | ||||||
|
||||||
Apply it using *kubectl*: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should 'kubectl' be formatted as code instead? |
||||||
|
||||||
```shell | ||||||
kubectl apply -f webapp.yaml | ||||||
``` | ||||||
|
||||||
--- | ||||||
|
||||||
## Deploy an Access Control policy | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
Create a file named *access-control-policy-deny.yaml*. The highlighted *deny* field will be used by the example application, and should be changed to the subnet of your machine. | ||||||
|
||||||
{{< ghcode "https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-deny.yaml" "hl_lines=7-8" >}} | ||||||
|
||||||
Apply the policy: | ||||||
|
||||||
```shell | ||||||
kubectl apply -f access-control-policy-deny.yaml | ||||||
``` | ||||||
|
||||||
--- | ||||||
|
||||||
## Configure load balancing | ||||||
|
||||||
Create a file named *virtual-server.yaml* for the VirtualServer resource. The *policies* field references the example application. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
{{< ghcode "https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/virtual-server.yaml" "hl_lines=7-8" >}} | ||||||
|
||||||
Apply the policy: | ||||||
|
||||||
```shell | ||||||
kubectl apply -f virtual-server.yaml | ||||||
``` | ||||||
|
||||||
--- | ||||||
|
||||||
## Test the example application | ||||||
|
||||||
Use *curl* to attempt to access the application: | ||||||
|
||||||
```shell | ||||||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT | ||||||
``` | ||||||
```text | ||||||
<html> | ||||||
<head><title>403 Forbidden</title></head> | ||||||
<body> | ||||||
<center><h1>403 Forbidden</h1></center> | ||||||
</body> | ||||||
</html> | ||||||
``` | ||||||
|
||||||
The *403* response is expected, successfully blocking your machine. | ||||||
|
||||||
--- | ||||||
|
||||||
## Update the policy | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
|
||||||
Create a new policy with the file *access-control-policy-allow.yaml*, updating the *allow* field to the subnet of your machine. | ||||||
|
||||||
{{< ghcode "https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/refs/heads/main/examples/custom-resources/access-control/access-control-policy-allow.yaml" "hl_lines=7-8" >}} | ||||||
|
||||||
Apply the policy: | ||||||
|
||||||
```shell | ||||||
kubectl apply -f access-control-policy-allow.yaml | ||||||
``` | ||||||
|
||||||
---- | ||||||
|
||||||
## Verify the policy update | ||||||
|
||||||
Attempt to access the application again: | ||||||
|
||||||
```shell | ||||||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT | ||||||
``` | ||||||
```text | ||||||
Server address: 10.64.0.13:8080 | ||||||
Server name: webapp-5cbbc7bd78-wf85w | ||||||
``` | ||||||
|
||||||
The successful response demonstrates that the policy has been updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Access Control is a feature and policy is one of the steps so the original title is apt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original title does not describe the intent of the document, and the new one is matched to the website document, which is written as an instruction.