0

In a project we start using GKE to host some services.

Those services should be accessible by all team members, but should not be accessible for anyone else in the world.

Our team works from home, hence we cannot restrict IP addresses or something like that.

What is the best way to make sure only team members can access the service?

I tried to set up IAP. That works, but it is much setup for each service and I did not find a way to allow "technical user" like allowing sonarscanner to reach sonarqube.

Maybe another option would be setting up a dedicated nginx-ingress controller that I can secure using BasicAuth or client certificates. - But it feels like my situation is quite common and I am missing something existing. - Any hints?

The current challenge with IAP is, that I have services like Sonarqube, that offer both a web interface and an API. Using a browser to access the web interface works fine. But it's not clear to me how to configure for example sonarscanner to access the IAP-protected API.

The second issue with IAP is, that it requires each service to configure quite a bit of GKE-specific boilerplate (Frontendconfig/Backendconfig/Annotations/etc.). I would really like to shift that kind of configuration from the services (i.e. developers) to the Cluster/IngressController (i.e. cluster admin).

michas
  • 25,361
  • 15
  • 76
  • 121
  • IAP is the right solution. Can you describe more about your current challenges and issues? – guillaume blaquiere Nov 12 '20 at 13:39
  • @guillaumeblaquiere I added a bit more detail on IAP in the question. – michas Nov 12 '20 at 14:53
  • With gcloud CLI you can open a tunnel with IAP, and then connect your local app on this tunnel (localhost:PORT). However, I agree with the boilerplate configuration. I haven't magic solution in mind to solve this... Sorry! – guillaume blaquiere Nov 12 '20 at 15:46

0 Answers0