Kubernetes Ingress perform authorization before route, like api gateway

Question

It's possible to perform an authorization(rule-based like) into Kubernetes ingress(like kong, nginx). For example, i have this:

apiVersion: extensions/v1beta1

kind: Ingress
metadata:
  name: foo-bar
spec:
  rules:
  - host: api.foo.bar
    http:
      paths:
      - path: /service
        backend:
          serviceName: service.foo.bar
          servicePort: 80

But before redirect to /service, I need to perform a call in my authorization api to valid if the request token has the rule to pass for /service.

Or I really need to use an API gateway behind ingress like a spring zuul to do this?

score 2 · Accepted Answer · answered Nov 23 '19 at 15:55

2

Ingress manifest is just input for a controller. You also need an Ingress Controller, an proxy that understand the Ingress object. Kong and Nginx is two examples of implementation.

Nginx Ingress Controller is provided from the Kubernetes community and it has an example of configuring an external oauth2 proxy using annotations

annotations:
  nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
  nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"

answered Nov 23 '19 at 15:55

Jonas

121,568
97
310
388

there are 4 types of authentication you can configure with Nginx Ingress Controller for which documentation you can find in [nginx controller github repo](https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth) – Matt Nov 25 '19 at 10:22
1

perfect, nginx.ingress.kubernetes.io/auth-url worked! – Ricardo Palazzio Nov 25 '19 at 16:37

Kubernetes Ingress perform authorization before route, like api gateway

1 Answers1

Linked