• F5

    Deliver and secure every app

  • DevCentral

    Connect & learn in our hosted community

  • MyF5

    Your key to everything F5, including support, registration keys, and subscriptions

  • NGINX

    Learn more about NGINX Open Source and read the community blog

  • Community Forum

    Engage with the broader NGINX community for discussions and troubleshooting

Deploy a Policy for access control

This topic describes how to use F5 NGINX Ingress Controller to apply and update a Policy for access control. It demonstrates it using an example application and a VirtualServer custom resource.

Before you begin

You should have a working NGINX Ingress Controller instance.

For ease of use in shell commands, set two shell variables:

  1. The public IP address for your NGINX Ingress Controller instance.
IC_IP=<ip-address>
  1. The HTTP port of the same instance.
IC_HTTP_PORT=<port number>

Deploy the example application

Create the file webapp.yaml with the following contents:

yaml
apiVersion: apps/v1 kind: Deployment metadata:  name: webapp spec:  replicas: 1  selector:  matchLabels:  app: webapp  template:  metadata:  labels:  app: webapp  spec:  containers:  - name: webapp  image: nginxdemos/nginx-hello:plain-text  ports:  - containerPort: 8080 --- apiVersion: v1 kind: Service metadata:  name: webapp-svc spec:  ports:  - port: 80  targetPort: 8080  protocol: TCP  name: http  selector:  app: webapp

Apply it using kubectl:

kubectl apply -f webapp.yaml

Deploy a Policy to create a deny rule

Create a file named access-control-policy-deny.yaml. The highlighted deny field will be used by the example application, and should be changed to the subnet of your machine.

yaml
apiVersion: k8s.nginx.org/v1 kind: Policy metadata:  name: webapp-policy spec:  accessControl:  deny:  - 10.0.0.0/8

Apply the policy:

kubectl apply -f access-control-policy-deny.yaml

Configure load balancing

Create a file named virtual-server.yaml for the VirtualServer resource. The policies field references the access control Policy created in the previous section.

yaml
apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata:  name: webapp spec:  host: webapp.example.com  policies:  - name: webapp-policy  upstreams:  - name: webapp  service: webapp-svc  port: 80  routes:  - path: /  action:  pass: webapp

Apply the policy:

kubectl apply -f virtual-server.yaml

Test the example application

Use curl to attempt to access the application:

curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
text
<html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> </body> </html>

The 403 response is expected, successfully blocking your machine.

Update the Policy to create an allow rule

Update the Policy with the file access-control-policy-allow.yaml, setting the allow field to the subnet of your machine.

yaml
apiVersion: k8s.nginx.org/v1 kind: Policy metadata:  name: webapp-policy spec:  accessControl:  allow:  - 10.0.0.0/8

Apply the Policy:

kubectl apply -f access-control-policy-allow.yaml

Verify the Policy update

Attempt to access the application again:

curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
text
Server address: 10.64.0.13:8080 Server name: webapp-5cbbc7bd78-wf85w

The successful response demonstrates that the policy has been updated.

View source
Edit this page
Create a new issue