apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: flask-app-ingress namespace: default annotations: # Nginx 配置 kubernetes.io/ingress.class: nginx # 启用 HTTPS 重定向 nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/force-ssl-redirect: true # 限流每秒 10 个请求突发 20 nginx.ingress.kubernetes.io/limit-rps: 10 nginx.ingress.kubernetes.io/limit-burst-multiplier: 2 # 客户端真实 IP nginx.ingress.kubernetes.io/enable-real-ip: true nginx.ingress.kubernetes.io/proxy-real-ip-cidr: 0.0.0.0/0 # 连接超时 nginx.ingress.kubernetes.io/proxy-connect-timeout: 60 nginx.ingress.kubernetes.io/proxy-send-timeout: 60 nginx.ingress.kubernetes.io/proxy-read-timeout: 60 # 缓冲区大小 nginx.ingress.kubernetes.io/proxy-buffering: on nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/proxy-buffers-number: 4 # Gzip 压缩 nginx.ingress.kubernetes.io/enable-gzip: true nginx.ingress.kubernetes.io/gzip-level: 6 nginx.ingress.kubernetes.io/gzip-min-length: 1024 nginx.ingress.kubernetes.io/gzip-types: text/plain text/css application/json application/javascript text/xml application/xml application/xmlrss text/javascript # 安全头 nginx.ingress.kubernetes.io/configuration-snippet: | add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection 1; modeblock always; add_header Referrer-Policy strict-origin-when-cross-origin always; # 认证 # nginx.ingress.kubernetes.io/auth-type: basic # nginx.ingress.kubernetes.io/auth-secret: flask-app-basic-auth # nginx.ingress.kubernetes.io/auth-realm: Authentication Required # 自定义错误页面 # nginx.ingress.kubernetes.io/custom-http-errors: 404,500,502,503,504 # nginx.ingress.kubernetes.io/default-backend: custom-error-pages # 重写目标 # nginx.ingress.kubernetes.io/rewrite-target: /$1 # WAF如果安装了 ModSecurity # nginx.ingress.kubernetes.io/enable-modsecurity: true # nginx.ingress.kubernetes.io/modsecurity-snippet: | # SecRuleEngine On # SecRequestBodyAccess On spec: tls: - hosts: - flask.example.com secretName: flask-app-tls-secret # TLS 证书 Secret rules: - host: flask.example.com http: paths: - path: / pathType: Prefix backend: service: name: flask-app-service port: number: 80
ingress-nginx
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: flask-app-ingress namespace: default annotations: # Nginx 配置 kubernetes.io/ingress.class: nginx # 启用 HTTPS 重定向 nginx.ingress.kubernetes.io/ssl-redirect: true nginx.ingress.kubernetes.io/force-ssl-redirect: true # 限流每秒 10 个请求突发 20 nginx.ingress.kubernetes.io/limit-rps: 10 nginx.ingress.kubernetes.io/limit-burst-multiplier: 2 # 客户端真实 IP nginx.ingress.kubernetes.io/enable-real-ip: true nginx.ingress.kubernetes.io/proxy-real-ip-cidr: 0.0.0.0/0 # 连接超时 nginx.ingress.kubernetes.io/proxy-connect-timeout: 60 nginx.ingress.kubernetes.io/proxy-send-timeout: 60 nginx.ingress.kubernetes.io/proxy-read-timeout: 60 # 缓冲区大小 nginx.ingress.kubernetes.io/proxy-buffering: on nginx.ingress.kubernetes.io/proxy-buffer-size: 16k nginx.ingress.kubernetes.io/proxy-buffers-number: 4 # Gzip 压缩 nginx.ingress.kubernetes.io/enable-gzip: true nginx.ingress.kubernetes.io/gzip-level: 6 nginx.ingress.kubernetes.io/gzip-min-length: 1024 nginx.ingress.kubernetes.io/gzip-types: text/plain text/css application/json application/javascript text/xml application/xml application/xmlrss text/javascript # 安全头 nginx.ingress.kubernetes.io/configuration-snippet: | add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection 1; modeblock always; add_header Referrer-Policy strict-origin-when-cross-origin always; # 认证 # nginx.ingress.kubernetes.io/auth-type: basic # nginx.ingress.kubernetes.io/auth-secret: flask-app-basic-auth # nginx.ingress.kubernetes.io/auth-realm: Authentication Required # 自定义错误页面 # nginx.ingress.kubernetes.io/custom-http-errors: 404,500,502,503,504 # nginx.ingress.kubernetes.io/default-backend: custom-error-pages # 重写目标 # nginx.ingress.kubernetes.io/rewrite-target: /$1 # WAF如果安装了 ModSecurity # nginx.ingress.kubernetes.io/enable-modsecurity: true # nginx.ingress.kubernetes.io/modsecurity-snippet: | # SecRuleEngine On # SecRequestBodyAccess On spec: tls: - hosts: - flask.example.com secretName: flask-app-tls-secret # TLS 证书 Secret rules: - host: flask.example.com http: paths: - path: / pathType: Prefix backend: service: name: flask-app-service port: number: 80
