Allow access namespace only with certificate
I have the following scenario:
The user red make a http request to one of the three services in the namespace1. Somehow in the K8s, it should verify, if the user red has a valid certificate for namespace1 to call services or not. In this case, the user red owns the right certificate for the namespace1, so it allows to call any services within the namespace1. The same rule is also apply for user blue.
But when user red try to call services in the namespace2, then requests should be rejected, because it does not own the right certificat for namespace2.
The question is, it is possible to create namespace certificate in kubernetes. For example, when I have a certificate A, then I can only access namespace1 but not namespace2.
Similar Questions
2 Answers
Not exactly what you want but it's possible to do per domain.You can use an ingress controller such as ambassador with SNI support.You supply separate TLS certificates for different domains, instead of using a single TLS certificate for all domains.It is designed to be configured on a per-mapping basis, enabling application developers or service owners to individually manage how their service gets exposed over TLS.
Using SNI instead multiple ingress controller deployments is more scalable because multiple load balancers or IPs for those ingress controllers can be avoided.
The problem with SNI is client library and browser support is limited.
I think Kubernetes Services don’t offer such features. The authentication should be done in an ingress controller (e.g. nginx-ingress). You just deploy two different ones, one per namespace, with different certificate configuration.