Skip to content

Commit c31e24d

Browse files
HariSekhonHariSekhon
committed
updated ingress.yaml
1 parent de54670 commit c31e24d

File tree

1 file changed

+18
-0
lines changed

1 file changed

+18
-0
lines changed

ingress.yaml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ metadata:
5656
nginx.ingress.kubernetes.io/ssl-redirect: "true"
5757
#nginx.ingress.kubernetes.io/force-ssl-redirect: "true" # redirect even if the ingress doesn't have TLS
5858

59+
# =============
5960
# Rate Limiting - mitigate DoS / brute force attacks
6061
#
6162
# https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#rate-limiting
@@ -65,10 +66,13 @@ metadata:
6566
#nginx.ingress.kubernetes.io/limit-rpm: 60 # req/min
6667
#nginx.ingress.kubernetes.io/limit-whitelist: 10.0.0.0/8,172.16.0.0/12,192.168.0.0./16
6768

69+
# ======================
6870
# rewrite /APP to just /
6971
nginx.ingress.kubernetes.io/rewrite-target: /
7072
#nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
7173

74+
# ==============================
75+
# IP Whitelisting / Blacklisting
7276
# XXX: Edit to make available externally or apply common ingress.nginx.patch.yaml with shared IP list eg. Cloudflare
7377
# XXX: instead of putting Cloudflare IPs in every ingress - see the ingress-nginx/base/annotations.patch.yaml to apply to all ingresses
7478
nginx.ingress.kubernetes.io/whitelist-source-range: |
@@ -77,13 +81,24 @@ metadata:
7781
192.168.0.0/16
7882
#nginx.ingress.kubernetes.io/denylist-source-range: x.x.x.x/y # block known bad CIDR
7983

84+
# ============
8085
# Mod Security
8186
#
8287
# https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity
8388
#
8489
#nginx.ingress.kubernetes.io/enable-modsecurity: "true"
8590
#nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
8691

92+
# =================
93+
# URL Path Blocking eg. Coder block SSH in open source version because enterprise version is expensive
94+
#
95+
#nginx.ingress.kubernetes.io/configuration-snippet: |
96+
# location ~* /api/v2/deployment/ssh {
97+
# deny all
98+
# return 403
99+
# }
100+
101+
# ======
87102
# Canary
88103
#
89104
# https://kubernetes.github.io/ingress-nginx/examples/affinity/cookie/
@@ -97,10 +112,12 @@ metadata:
97112
#nginx.ingress.kubernetes.io/canary-by-header: "some-header"
98113
#nginx.ingress.kubernetes.io/canary-by-header-value: "some-value"
99114

115+
# ======================
100116
# Mirror to test backend
101117
#
102118
# nginx.ingress.kubernetes.io/mirror-target: https://test.env.com/$request_uri
103119

120+
# =======
104121
# AWS EKS
105122
#
106123
# https://aws.amazon.com/premiumsupport/knowledge-center/eks-configure-nginx-ingress-controller/
@@ -111,6 +128,7 @@ metadata:
111128
# nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
112129
# nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
113130

131+
# ============================================
114132
# Enable OpenTracing only for this one ingress
115133
#
116134
#nginx.ingress.kubernetes.io/enable-opentracing: "true"

0 commit comments

Comments
 (0)