1

I have a project on k8s with 3 services, that I want to cover with basic auth, and 1 service that I'd like to be public. In ingress 4 services devided by url rules, that have different prefixes. I had found tutorial about basic auth setup in ingress for all rules, but not about excluded, included urls.

G Jones
  • 357
  • 1
  • 6
Oleksiy
  • 794
  • 2
  • 14
  • 39
  • I think this might help you https://github.com/kubernetes-retired/contrib/issues/1950 – Andrei Stoicescu Nov 23 '20 at 14:48
  • @AndreiStoicescu, thx, I looked inside this issue and I consider that it is not ideal solution, but it could be well working. – Oleksiy Nov 23 '20 at 15:11
  • 1
    You have used many tags and didnt specify your enviroment details. Are you using Google Cloud and want use GCP Ingress or Nginx Ingress? Or this is your local environment? – PjoterS Nov 24 '20 at 08:20
  • I'm using Google cloud, and using GCP ingress – Oleksiy Nov 24 '20 at 13:16

1 Answers1

1

Unfortunately GCP Ingress does not provide basic auth authentication as this feature is specific for Nginx Ingress.

As workaround for basic auth in GCP Ingress you can use IAP. Detailed How To information can be found in Enabling IAP for GKE article.

If you would still like to use Nginx Ingress basic auth you can do it on GKE but you need specify nginx annotation.

metadata:
  name: foo
  annotations:
    kubernetes.io/ingress.class: "nginx"

Regarding using basic auth on only one service out of four, you can createa 2 Ingress. Very similar issue was discussed in another stackoverflow thread, which contains good solution - Nginx-ingress Kubernetes routing with basic auth.

Basic Auth Ingress

First Ingress should be without annotations:

  • nginx.ingress.kubernetes.io/auth-type
  • nginx.ingress.kubernetes.io/auth-secret
  • nginx.ingress.kubernetes.io/auth-realm

Second Ingress should contain proper annotations and should look similar to below YAML.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
    #cert-manager.io/cluster-issuer: if you would use cert manager like letsencrypt
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: auth-service
              servicePort: <auth-service-port>

Aditional information

There is an option to deny all traffic to specific path. It can be achieved by configuration-snippet annotation.

   annotations:
      nginx.ingress.kubernetes.io/configuration-snippet: |

      location /specificpath {

           deny all;  
      }
PjoterS
  • 12,841
  • 1
  • 22
  • 54