Deploy a Policy for access control

This topic describes how to use F5 NGINX Ingress Controller to apply and update a Policy for access control. It demonstrates it using an example application and a VirtualServer custom resource.


Before you begin

You should have a working NGINX Ingress Controller instance.

For ease of use in shell commands, set two shell variables:

  1. The public IP address for your NGINX Ingress Controller instance.
IC_IP=<ip-address>
  1. The HTTP port of the same instance.
IC_HTTP_PORT=<port number>

Deploy the example application

Create the file webapp.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webapp
  template:
    metadata:
      labels:
        app: webapp
    spec:
      containers:
      - name: webapp
        image: nginxdemos/nginx-hello:plain-text
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: webapp-svc
spec:
  ports:
  - port: 80
    targetPort: 8080
    protocol: TCP
    name: http
  selector:
    app: webapp

Apply it using kubectl:

kubectl apply -f webapp.yaml

Deploy a Policy to create a deny rule

Create a file named access-control-policy-deny.yaml. The highlighted deny field will be used by the example application, and should be changed to the subnet of your machine.

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: webapp-policy
spec:
  accessControl:
    deny:
    - 10.0.0.0/8

Apply the policy:

kubectl apply -f access-control-policy-deny.yaml

Configure load balancing

Create a file named virtual-server.yaml for the VirtualServer resource. The policies field references the access control Policy created in the previous section.

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
  name: webapp
spec:
  host: webapp.example.com
  policies:
  - name: webapp-policy
  upstreams:
  - name: webapp
    service: webapp-svc
    port: 80
  routes:
  - path: /
    action:
      pass: webapp

Apply the policy:

kubectl apply -f virtual-server.yaml

Test the example application

Use curl to attempt to access the application:

curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>

The 403 response is expected, successfully blocking your machine.


Update the Policy to create an allow rule

Update the Policy with the file access-control-policy-allow.yaml, setting the allow field to the subnet of your machine.

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: webapp-policy
spec:
  accessControl:
    allow:
    - 10.0.0.0/8

Apply the Policy:

kubectl apply -f access-control-policy-allow.yaml

Verify the Policy update

Attempt to access the application again:

curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT
Server address: 10.64.0.13:8080
Server name: webapp-5cbbc7bd78-wf85w

The successful response demonstrates that the policy has been updated.



Last modified January 16, 2025