K
Q

Nginx Ingress Kube

3/2/2019

I'm confused about nginx ingress with Kubernetes. I've been able to use it with "basic nginx auth" (unable to do so with oauth2 yet).

I've installed via helm:

helm install stable/nginx-ingress --name app-name --set rbac.create=true

This creates two services, an nginx-ingress-controller and an nginx-ingress-backend.

When I create an ingress, this ingress is targeted towards one and only one nginx-ingress-controller, but I have no idea how:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tomcat
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"
    nginx.ingress.kubernetes.io/rewrite-target: /
  namespace: kube-system
spec:
  rules:
  - host:
    http:
      paths:
      - path: /
        backend:
          serviceName: tomcat-deployment-service 
          servicePort: 8080

When I get this Ingress from the output of kubectl get ingress -n kube-system, it has a public, external IP.

What's concerning is that basic-auth DOESN'T APPLY to that external IP; it's wide open! Nginx authentication only kicks in when I try to visit the nginx-ingress-controller's IP.

I have a lot of questions.

  1. How do I made an ingress created from kubectl apply -f ingress.yaml target a specific nginx-ingress-controller?
  2. How do I keep this new ingress from having an external IP?
  3. Why isn't nginx authentication kicking in?
  4. What IP am I suppose to use (the nginx-ingress-controller or the generated one?)
  5. If I'm suppose to use the generated IP, what about the one from the controller?

I have been searching for descent, working examples (and pouring over sparse, changing documentation, and github issues) for literally days.

EDIT:

In this "official" documentation, it's unclear as to weather or not http://10.2.29.4/ is the IP from the ingress or the controller. I assume the controller because when I run this, the other doesn't even authenticate (it let's me in without asking for a password). Both IP's I'm using are external IPs (publicly available) on GCP.

-- Display name
kubernetes
nginx-ingress

Similar Questions

Mounting applications of different paths with Istio
Is it safe to replace ReplicationController with Deployment
Releasing JDBC connections after kubernetes pod is killed
Kubernetes pods can't pull images from container registry (gcp)
How to query the total memory available to kubernetes nodes

1 Answer

3/3/2019

I think you might have some concept definition misunderstanding.

  1. Ingress is not a job ( Nor a service, nor a pod ). It is just a configuration. It cannot have "IP". think of ingress as a routing rule or a routing table in your cluster.
  2. Nginx-ingress-controller is the service with type Loadbalancer with actual running pods behind it that facilitates those ingress rules that you created for your cluster.
  3. Nginx-ingress-backend is likely to be a default-backend that your nginx-ingress-controller will route to if no matching routes are found. see this
  4. In general, your nginx-ingress-controller should be the only entry of your cluster. Other services in your cluster should have type ClusterIP such that they are not exposed to outside the cluster and only accessible through your nginx-ingress-controller. In you case, since your service could be access from outside directly, it should not be of type ClusterIP. Just change the service type to get it protected.

Based on above understanding, I will glad to provide further help for the question you have.

Some readings:

  1. What is ingress: https://kubernetes.io/docs/concepts/services-networking/ingress/
  2. K8s Services and external accessibility: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-- Fei
Source: StackOverflow