Restricting Keycloak admin url - keycloak

I am trying to restrict keycloak admin context (https://myserver.domain.com/auth/admin/*) to specific IPs only, However, want to keep other context open for all (Eg. /).
The service is running in GKE cluster with LoadBalancer, Nginx Ingress and backend. Below are the two configs created to achieve the above requirement.
Ingress1 is working and accessible to all including /auth/admin/*
Nginx Ingress1:
`
annotations:
nginx.ingress.kubernetes.io/affinity: cookie
labels:
app.kubernetes.io/managed-by: Helm
name: kc-ingress
namespace: kc
spec:
ingressClassName: nginx
rules:
host: my.domain.com
http:
paths:
backend:
service:
name: kc-service
port:
number: 80
path: /
pathType: ImplementationSpecific
`
Ingress2 is created to restrict the /auth/admin/* which is not working as expected.
Nginx Ingress2:
`
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: x.x.x.x/32
labels:
app.kubernetes.io/managed-by: Helm
name: kc-ingress-restricted
namespace: kc
spec:
ingressClassName: nginx
rules:
host: my.domain.com
http:
paths:
backend:
service:
name: kc-service
port:
number: 80
path: /auth/admin/(.*)
pathType: Prefix
`
Not sure what else is missing here.

Related

Combining routes of frontend and backend

I have a React front-end and Flask API as back-end.
I wish to have both front-end and back-end routes accessible at same address. E.g frontend at myapp.web.com and backend at myapp.web.com/api.
It will have different deployments for them. I want to know how to do this.
Yes, you can have the same domain that can point to multiple services based on the path.
Normally this can help you to resolve the CORS issue.
API
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
name: backend-ingress
namespace: backend-api
spec:
rules:
- host: myapp.web.com
http:
paths:
- backend:
service:
name: backend-service-name
port:
number: 80
path: /api
pathType: Prefix
tls:
- hosts:
- myapp.web.com
secretName: my-secret-tls
Frontend ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
name: frontend-service
namespace: frontend-service
spec:
rules:
- host: myapp.web.com
http:
paths:
- backend:
service:
name: frontend-service-name
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- myapp.web.com
secretName: my-secret-tls
so in this case, all the requests that start with /api will route to the backend app and rest of the requests will route to frontend.

nginx-ingress: Redirect host URI based on request header for specific range of IPs

I am new to K8s and learning the concepts.
I need to achieve the following requirements using nginx-ingress in K8s
Whenever we receive request to abc.com/api it should get redirected to example.com/api, if the request is not from whitelisted IP range.
Kindly assist me with suggestions or feedback on this.
Thank you
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.class: nginx
meta.helm.sh/release-name: static-web
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/rewrite-target: /404.html
nginx.ingress.kubernetes.io/ssl-redirect: "true"
labels:
app.kubernetes.io/managed-by: Helm
name: internal-ingress
namespace: default
spec:
rules:
- host: abc.com
http:
paths:
- backend:
service:
name: nginx-svc
port:
number: 8000
path: /api/user-service
pathType: Prefix
- backend:
service:
name: nginx-svc
port:
number: 8000
path: /api/notification-service
pathType: Prefix
tls:
- hosts:
- abc.com
secretName: ingress-secret-tls

Routing of application doesn't work with Kubernetes ingress

I have a Kubernetes Ingress with the following configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
This works just fine. I can open up the page in the browser and my application works perfectly fine but whenever I add another service like this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx
annotations:
ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- path: /prometheus
pathType: Prefix
backend:
service:
name: prometheus
port:
number: 9090
- path: /grafana
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
things just don't work anymore. My grafana application is now accessible under /grafana but all the routes and links inside the app don't work anymore. What do I have to change that everything will work?
I've already tried adding these two annotations but it didn't change anything.
ingress.kubernetes.io/add-base-url: "true"
ingress.kubernetes.io/rewrite-target: "/$1"

Is it possible to use same hostname with multiple Ingress resources running in different namespaces?

I want to use the same hostname let's say example.com with multiple Ingress resources running in different namespaces i.e monitoring and myapp. I'm using Kubernetes nginx-ingress controller.
haproxy-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: haproxy-ingress
namespace: myapp
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- hosts:
# fill in host here
- example.com
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: haproxy
port:
number: 80
grafana-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-ingress
namespace: monitoring
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
tls:
- hosts:
- example.com
rules:
- host: example.com
http:
paths:
# only match /grafana and paths under /grafana/
- path: /grafana(/|$)(.*)
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
When I'm doing curl example.com then it is redirecting me to the deployment running in namespace one(as expected) but when I'm doing curl example.com/grafana then still it is redirecting me to namespace one deployment.
Please help.
Yes it is possible.
There can be two issues in your case.
One is you don't need the regex path for grafana ingress. Simple /grafana path will be fine with path type Prefix as with path type Prefix any /grafana/... will be redirected associated service. So the manifest file will be:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grafana-ingress
namespace: monitoring
spec:
tls:
- hosts:
- example.com
rules:
- host: example.com
http:
paths:
- path: /grafana
pathType: Prefix
backend:
service:
name: grafana
port:
number: 3000
And the second issue can be the related service or deployment might not be the under same namespace monitoring. Please make sure the deployment/service/secret or other resources needed for grafana remains under the same namespace monitoring.

Kubernetes ingress - access to web service container subpaths

I have a web service (dashboard-service) running in a container. The service provides the required webpages at:
http://192.168.1.100:3000/page2/
http://192.168.1.100:3000/page3/
etc
I have the dashboard-service running in a kubernetes cluster, and want to use ingress to control access like this:
so that I can access at: http://192.168.1.100:3000/dashboard/1
http://192.168.1.100:3000/dashboard/2
etc
I've tried the following ingress setup, but am getting "404 Not Found"
Is there some way of adding routes to subpaths?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard-service
namespace: db
annotations:
ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- http:
paths:
- path: /dashboard/
pathType: Prefix
backend:
service:
name: dashboard-service
port:
number: 3000
First of all, there is no below configuration in ingress
backend:
service:
name: dashboard-service
port:
number: 3000
You should use next instead..
- backend:
serviceName: dashboard-service
servicePort: 3000
Next, I would propose you install, configure and use nginx ingress controller instead of regular kubernetes-ingress. Please note also, if you use nginx controller, your annotation should be nginx.ingress.kubernetes.io/rewrite-target: , not ingress.kubernetes.io/rewrite-target:
As per NGINX Ingress Controller rewrite documentation, your ingress should look like
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /page$2
name: dashboard-service
namespace: db
spec:
rules:
http:
paths:
- backend:
serviceName: dashboard-service
servicePort: 3000
path: /dashboard(/|$)(.*)
I tested regex and capture groups for you here: https://regex101.com/r/3zmz6J/1