I'm looking for a way to authenticate an Istio-enabled Kubernetes cluster with an external Oauth2 provider. The Nginx Ingress controller has a way to do this when using vanilla Ingres resources.
https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/
However, I'm not sure how to do this with Istio Gateway and VirtualService objects. Basically, I need to be able to provide an auth-url and an auth-sigin url to Istio, so it will authenticate the same way that the oauth Nginx ingress controller does. I've found a few examples of EnvoyFilters suggest ways to do this, but there isn't a lot of documentation on how to make this work.
Any advice to get Istio to integrate with an external Oauth would be much appreciated.
OriginAuthenticationMethod is the authentication policy that you are looking for.
Refer: https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1/#OriginAuthenticationMethod
Currently, only JWT is supported for origin authentication.
A workaround would be using another type of Ingress.
Related
We have a custom domain feature, which allows our clients to use our services with their custom DNS records.
For example, our client ACME has a CNAME to ssl.company.com like so login.acme.com -> ssl.company.com. right now we are using a k8s cluster to provide such traffic. On each custom domain, we create an ingress, external service, and a certificate using LetsEncrypt cert-manager.
We started using Cloudflare WAF and they are providing CustomHostname feature which allows us to do the same as our CD cluster but without changing the host header. So
for the example above we get
host: login.acme.com -> login.acme.com
SNI: login.acme.com -> ssl.company.com
The issue is of course how to map a generic k8s ingress to allow such traffic.
when we did the POC we used this method and it worked, but now it stopped. We have also tried default backend and unhosted ingress path.
We are using nginx-ingress controller but migrating to another API gateway like kong.
Any help will be grateful.
We have our frontend application deployed on cloudfront & backend API's are hosted on kubernetes (EKS).
We have use cases where we are using backend APIs from cloudfont (front-end). We don't want to expose Backend API publicly which is obvious.
So now the question is how should we implement above use case? Can someone please help us?
Thansk in advance
You have multiple options to follow however more depends on you.
Option : 1
Change origin of frontend service instead of S3 use EKS as the origin with CloudFront.
This might require extra things to set up and manage so not a good idea.
Option : 2
Set the WAF with Nginx ingress controller or in ingress that will be running inside the EKS.
with WAF you can specify the domain (origin) from a specific domain only request should accepted.
Example : https://medium.com/cloutive/exposing-applications-at-aws-eks-and-integrating-with-other-aws-services-c9eaff0a3c0c
Option : 3
You can keep your EKS behind the API gateway and set auth like basic auth, API key etc, and protect the API that way running in EKS.
https://waswani.medium.com/expose-services-in-eks-via-aws-api-gateway-8f249db372bd
https://aws.amazon.com/blogs/containers/integrate-amazon-api-gateway-with-amazon-eks/
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
I'm reading through https://kubernetes.io/docs/reference/access-authn-authz/authentication/, but it is not giving any concrete commands and it is mostly focusing when we want to create everything from scratch. It's also explaining auth for engineers using Kubernetes.
I have an existing deployment and service (with exposed external IP) and would like to create the simplest possible authentication (preferably token based) for an external user accessing the exposed IP. I can't add authentication to the services since I don't have access to their code. If somebody could help me with some commands I would be grateful.
The documentation which referred is for authentication with k8s (for api accesses). This is not for application layer authentication.
However I can suggest one way to implement application layer authentication without changing the service at all. You can redirect the traffic to nginx (or any other reverse proxy) which can perform the authentication and redirect the authenticated user to service directly. It can also perform some kind of authorization too.
There are various resources available which can help you choose various authentication mechanism available in nginx such as password file based mechanism (link) or JWT based authentication (link)
I'm pretty new to kubernetes, I hope to explain myself in a good way, and if anyone has any resources/suggestions to read for my problem it would be really much appreciated.
Let's get straight to the point.
The web app I'm trying to expose accepts only https connection on the service. So basically I would like to ask the ingress to communicate with my service through https
Following some tutorial I tried to expose a simple web app(that accept http connection) through https, craeting a certificate and a secret and adding the following line to the ingress.yml:
tls:
- secretName: testexample.com
hosts:
- testexample.com
and executing a curl -k https://testexample.com or through browser I can see my webpage.
The troubles pops out when my webapp accept only https connection, and the webapp we are moving to kubernetes does.
I always receive "404 default backend" message.
I tried to look for some resources/tutorial/previous questions,
Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes
Securing connections from ingress to services in Kubernetes with TLS
but I didnt figure out how to get out of the problem.
Any suggestions as mentioned before would be much appreciated.
Error source can are probably your Ingress rule. It's their not pointing to the correct service & port or it is not in the same namespace as the service.