Deploy a Policy for access control
This topic describes how to use F5 NGINX Ingress Controller to apply and update a Policy for access control. It demonstrates it using an example application and a VirtualServer custom resource.
You should have a working NGINX Ingress Controller instance.
For ease of use in shell commands, set two shell variables:
- The public IP address for your NGINX Ingress Controller instance.
IC_IP=<ip-address>- The HTTP port of the same instance.
IC_HTTP_PORT=<port number>Create the file webapp.yaml with the following contents:
/webapp_6642516566950503625.yamlApply it using kubectl:
kubectl apply -f webapp.yamlCreate a file named access-control-policy-deny.yaml. The highlighted deny field will be used by the example application, and should be changed to the subnet of your machine.
/access-control-policy-deny_6406539143738135081.yamlApply the policy:
kubectl apply -f access-control-policy-deny.yamlCreate a file named virtual-server.yaml for the VirtualServer resource. The policies field references the access control Policy created in the previous section.
/virtual-server_10292496036157374013.yamlApply the policy:
kubectl apply -f virtual-server.yamlUse curl to attempt to access the application:
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>The 403 response is expected, successfully blocking your machine.
Update the Policy with the file access-control-policy-allow.yaml, setting the allow field to the subnet of your machine.
/access-control-policy-allow_13623911874850598381.yamlApply the Policy:
kubectl apply -f access-control-policy-allow.yamlAttempt to access the application again:
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORTServer address: 10.64.0.13:8080
Server name: webapp-5cbbc7bd78-wf85wThe successful response demonstrates that the policy has been updated.