How to prevent direct access to deployed API services exposed by nginx ingress controller

12/7/2018

I've deployed an application on aws using kops and ingress nginx controller.

From what I’ve understood it looks like ingress controller allows to expose each services deployed in the cluster publicly. So it makes me wonder about security and authentication.

What is the architecture of my project ? I got 3 services deployed in a cluster:

  1. -client-ui (front-end)

  2. -authentication-api (creates/generates/verifies JWT token and call other services like data-api)

  3. -data-api (an API that create/read/update/delete sensitive data in the DB)

So the question is: if Ingress controller exposes all services, how do you restrict access to specific service, if the user is not allowed to ?

In this case data-api should only be accessible from authentication-api. So if in my browser I type www.client-ui.com/data/getXXX obviously I should not be be able to access that endpoint. I should only be able to do it from authentication-api if his jwt token has been verified.

So I guess some apis should be accessible only from within the cluster and some publicly !?

Could you please explain how can I do that ?

Thanks

-- jaybe78
amazon-ec2
kops
kubernetes
nginx-ingress

1 Answer

12/7/2018

Depending on the cloud provider, there are different annotations on the ingress services for that. What you want is an internal load balancer for a specific ingress resource. In your case (AWS) this should be:

annotations: service.beta.kubernetes.io/aws-load-balancer-internal: "true"

See:

-- Peter Ittner
Source: StackOverflow