Difference between nginx ldap auth & CoreOS Dex

8/22/2019

I am trying to put some kind of authenticator in front of my kubernetes applications. I have been using the nginx-ldap-auth image with the traditional applications on docker containers. But when on kubernetes and exposing applications on NodePort Services, what is the best way to put authentication around it?

Dex seems to be authentication solution for kubernetes as a whole, but does it also help in authenticating web UIservices hosted on Kubernetes?

-- swetad90
kubernetes
nginx
tectonic-coreos

2 Answers

11/27/2019

I have used authelia for protecting ingress resources, it worked very well. After setting up and configuring authelia, all you have to do is add a couple of annotations to your ingress objects.

See example here: https://github.com/clems4ever/authelia/blob/v4.0.0-alpha1/example/kube/apps/apps.yml#L78-L79

You can define pretty complex rules for your ingress domains.

-- leodotcloud
Source: StackOverflow

8/28/2019

Kubernetes provides a few fundamental Authentication concepts that actually manage access-control function. OpenID Connect as a part of authentication model represents a flexible way how to handle token ID based verification for user identity through a variety of Identity Provider software's protocols like OAuth2, however K8s doesn't provide any OpenID Identity Provider in front of the cluster.

Dex as OpenID service can be used for authentication purposes to Kubernetes API server through OpenID K8s authentication plugin, however hosted in Kubernetes web application needs to be supplied with any of OAuth2 client in order to determine user identity and obtain Token ID as described here.

Assuming that you have exposed web application running on K8s cluster, Ingress resource might extend L7 network features for the target application service, like Load balancing, SSL/TLS termination, network traffic routing, etc.; for that purpose Ingress Controller has to be implemented in K8s cluster, thus all HTTP/HTTPS requests will be routed and processed according to specified rules inside Ingress object.

Go further, and searching for NGINX Ingress Controller, gives you an opportunity to adjust or extend some significant functionality of typical Ingress Controller via Annotations and apply i.e. oauth2_proxy as external authentication provider to handle user request identification on Ingress object, as described in Kubernetes dashboard example.

By the way, nginx-ldap-auth module seems to be compatible with NGINX Ingress Controller as well, hence you can check it tiagoapimenta/nginx-ldap-auth.

-- mk_sta
Source: StackOverflow