Could anyone explain me what is the best way to add basic Auth to a kubernetes cluster deployment that is running a webapp on Google Cloud (GCP)
We are exposing it using:
kubectl expose deployment testSanbox --type=LoadBalancer --port 80 --target-port 80
We don't need anything fancy as this is only a dev sandbox but we don't want anyone to be able to reach it. It could be a single user/pass combo or maybe use the google credentials that we manage with IAM.
Sorry as you probably already noticed I'm not really experienced with kubernetes or GCP.
Thanks
You deployed a pod testSandbox and exposed it to the LoadBalancer. Your app testSandbox should handle the authentication for the requests it receives. Unless you use an API Gateway and handle the authentication on all requests on the way into the cluster.
I would change your TCP load balancer by an HTTP one. This means instead of exposing as LoadBalancer type service, you would expose it as NodePort. Then you would create Ingress resource to hit that service.
For authentication, you can use IAP (Identity Aware Proxy), which is a GCP product and you can hook it up to HTTP load balancer quite easily.
Once it is done, you would have the typical Google authentication page (similar to gmail), and your users will authenticate themselves with their GCP credentials.
If you looking for HTTP Basic Auth you can use NGINX and Ingress. Here is setup instruction authentication-ingress-nginx, ingress-auth.
But in context of security http authentication is not good enough secure authentication method. The problem is that, unless the process is strictly enforced throughout the entire data cycle to SSL for security, the authentication is transmitted in open on insecure lines. This lends itself to man in the middle attacks, where a user can simply capture the login data and authenticate via a copy-cat HTTP header attached to a malicious packet.
Here is overview in kubernetes official documentation about authorization authorization-kubernetes.
If you look for better solutions use API Keys, OAuth provider such as Google, Auth0, etc. developers.google.com/identity/protocols/OAuth2WebServer AND developers.google.com/identity/protocols/OAuth2UserAgent There are many options for authentication and authorization. Here are xplainations of above terms: api-authentication.
Approach to authenticate users using Auth on GCP: authentication-gcp-app.
Please let me know if it helps.