demo ingress

这个实例中,实现将 访问 https://image.frytea.com/Avatar.jpg 请求302到 https://image.frytea.com/i/Avatar.jpg

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app
  namespace: imagehost
  annotations:
    cert-manager.io/cluster-issuer: "dnspod-cluster-issuer"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location = /Avatar.jpg {
        return 301 https://image.frytea.com/i/Avatar.jpg$is_args$args;
      }
spec:
  ingressClassName: nginx
  tls:
  - hosts:
      - image.frytea.com
      - imagehost-cdn.frytea.com
      - cdn-imagehost.frytea.com
    secretName: image-frytea-com-tls
  rules:
  - host: image.frytea.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app
            port:
              name: web

直接配置会提示报错:

➜  imagehost git:(main) ✗ kubectl apply -f ingress.yaml  
Error from server (BadRequest): error when applying patch:  
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"networking.k8s.io/v1\",\"kind\":\"Ingress\",\"metadata\":{\"annotati  
ons\":{\"cert-manager.io/cluster-issuer\":\"dnspod-cluster-issuer\",\"nginx.ingress.kubernetes.io/configuration-snippet\":\"location = /Avatar.jpg {\\n  return 301 ht  
tps://image.frytea.com/i/Avatar.jpg$is_args$args;\\n}\\n\"},\"name\":\"app\",\"namespace\":\"imagehost\"},\"spec\":{\"ingressClassName\":\"nginx\",\"rules\":[{\"host\  
":\"image.frytea.com\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"app\",\"port\":{\"name\":\"web\"}}},\"path\":\"/\",\"pathType\":\"Prefix\"}]}},{\"ho  
st\":\"imagehost-cdn.frytea.com\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"app\",\"port\":{\"name\":\"web\"}}},\"path\":\"/\",\"pathType\":\"Prefix\  
"}]}},{\"host\":\"cdn-imagehost.frytea.com\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"app\",\"port\":{\"name\":\"web\"}}},\"path\":\"/\",\"pathType\  
":\"Prefix\"}]}}],\"tls\":[{\"hosts\":[\"image.frytea.com\",\"imagehost-cdn.frytea.com\",\"cdn-imagehost.frytea.com\"],\"secretName\":\"image-frytea-com-tls\"}]}}\n",  
"nginx.ingress.kubernetes.io/configuration-snippet":"location = /Avatar.jpg {\n  return 301 https://image.frytea.com/i/Avatar.jpg$is_args$args;\n}\n","nginx.ingress.k  
ubernetes.io/rewrite-rule":null}}}  
to:  
Resource: "networking.k8s.io/v1, Resource=ingresses", GroupVersionKind: "networking.k8s.io/v1, Kind=Ingress"  
Name: "app", Namespace: "imagehost"  
for: "ingress.yaml": error when patching "ingress.yaml": admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation group ConfigurationSn  
ippet contains risky annotation based on ingress configuration
这个错误来自于 Nginx Ingress Controller 自带的一个叫做 "Admission Webhook" 的安全校验机制。它的作用是在你创建或更新 Ingress 资源时进行检查,防止应用不安全或可能导致问题的配置。
很多 Nginx Ingress Controller 的默认安装配置或者管理员策略禁用限制 configuration-snippetserver-snippet 这类强大的注解

开启 Snippet 注释

使用 helm 部署的 nginx-ingress ,首先修改 Values.yaml 中的内容,启动

controller:
  allowSnippetAnnotations: true

将配置应用到集群:

helm upgrade --install ingress-nginx ingress-nginx  \
    --repo https://kubernetes.github.io/ingress-nginx  \
    --namespace ingress-nginx --create-namespace -f vaules.yaml

之后调整 ConfigMap

kubectl -n ingress-nginx edit cm ingress-nginx-controller

增加两行:

...
apiVersion: v1
data:
  allow-snippet-annotations: "true"
  annotations-risk-level: Critical
  use-forwarded-headers: "true"
kind: ConfigMap
...

其中 :

  • annotations-risk-level: Critical: 设置 Webhook 接受的最高风险门槛,确保 Snippets(作为 Critical 风险注解)在被评估时不会因为风险等级过高而被直接拒绝,从而让 allow-snippet-annotations 的设置能够生效
  • use-forwarded-headers: "true": 告诉 Nginx Ingress Controller 信任并使用由其上游代理(通常是你的云服务商提供的负载均衡器,如 AWS ELB/ALB/NLB, GCP Load Balancer, Azure Load Balancer 等)设置的 X-Forwarded-*Forwarded HTTP 头部信息,来确定原始客户端的真实信息

再重启所有 nginx controller

kubectl rollout restart -n ingress-nginx daemonset ingress-nginx-controller

之后在尝试 apply 上面的 demo 就可以成功了。

References

最后修改:2025 年 04 月 15 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏