K
Q

Adding basic auth to kubernetes deployment

10/7/2019

Could anyone explain me what is the best way to add basic Auth to a kubernetes cluster deployment that is running a webapp on Google Cloud (GCP)

We are exposing it using:

kubectl expose deployment testSanbox --type=LoadBalancer --port 80 --target-port 80

We don't need anything fancy as this is only a dev sandbox but we don't want anyone to be able to reach it. It could be a single user/pass combo or maybe use the google credentials that we manage with IAM.

Sorry as you probably already noticed I'm not really experienced with kubernetes or GCP.

Thanks

-- SGarofalo808
authentication
google-cloud-platform
kubernetes

Similar Questions

kafka-2-1-4 stopped working on deployment server
K8S: convert "kubeadm init" command-line arguments to "--config" YAML
kubectl logs command does not appear to respect --limit-bytes option
Mandate Group Search Condition in Dex LDAP Coonector
Helm, Promethus : Install prometheus with data/default directory on ec2 instance
How can i create mutiple nginx ingress controller in kubernetes
Kubernetes control plane how to increase Endpoint Slices for Service

3 Answers

10/7/2019

You deployed a pod testSandbox and exposed it to the LoadBalancer. Your app testSandbox should handle the authentication for the requests it receives. Unless you use an API Gateway and handle the authentication on all requests on the way into the cluster.

-- Jonas
Source: StackOverflow
10/8/2019

I would change your TCP load balancer by an HTTP one. This means instead of exposing as LoadBalancer type service, you would expose it as NodePort. Then you would create Ingress resource to hit that service.

For authentication, you can use IAP (Identity Aware Proxy), which is a GCP product and you can hook it up to HTTP load balancer quite easily.

Once it is done, you would have the typical Google authentication page (similar to gmail), and your users will authenticate themselves with their GCP credentials.

-- suren
Source: StackOverflow
10/8/2019

If you looking for HTTP Basic Auth you can use NGINX and Ingress. Here is setup instruction authentication-ingress-nginx, ingress-auth.

But in context of security http authentication is not good enough secure authentication method. The problem is that, unless the process is strictly enforced throughout the entire data cycle to SSL for security, the authentication is transmitted in open on insecure lines. This lends itself to man in the middle attacks, where a user can simply capture the login data and authenticate via a copy-cat HTTP header attached to a malicious packet.

Here is overview in kubernetes official documentation about authorization authorization-kubernetes.

If you look for better solutions use API Keys, OAuth provider such as Google, Auth0, etc. developers.google.com/identity/protocols/OAuth2WebServer AND developers.google.com/identity/protocols/OAuth2UserAgent There are many options for authentication and authorization. Here are xplainations of above terms: api-authentication.

Approach to authenticate users using Auth on GCP: authentication-gcp-app.

Please let me know if it helps.

-- MaggieO
Source: StackOverflow