K
Q

How to add a reverse proxy for authentication & load balancing in Kuberenetes (GKE)?

1/16/2020

Okay, I have a DB consisting of several nodes deployed to GKE.

The deployment.yaml adds each node as ClusterIP, which makes sense. Here is the complete deployment file:

https://github.com/dgraph-io/dgraph/blob/master/contrib/config/kubernetes/dgraph-ha/dgraph-ha.yaml

For whatever reason, the DB has zero security functionality, so I cannot expose any part using a LoadBalancer service because doing so would give unsecured access to the entire DB. The vendor argues that security is solely the user's problem. The AlphaNode comes with an API endpoint, which is also unsecured, but I actually want to connect to that API endpoint from an external IP.

So, the best I can do is adding an NGNIX as a (reverse) proxy with authentication to secure access to the API endpoint of the Alpha node(s). Practically, I have three alpha nodes so adding load balancing makes sense. I found a config that does load balancing to three alpha nodes in Docker Compose although, without authenication.:

https://gist.github.com/MichelDiz/42954e321620159c872c35c20e9d85c6

Now, the million-dollar question I have is, how do I add an NGNIX load balance to Kubernetes that authenticates and load balances incoming traffic to my (ClusterIP) alpha nodes?

Any pointers? Any help?

-- Marvin.Hansen
docker
google-kubernetes-engine
kubernetes

Similar Questions

How to use tar command options when calling kubectl cp command
Wanted to communicate the pod with cluster to run some kubectl commands
How to grab last two lines from ansible (register stdout) initialization of kubernetes cluster
ERROR! no action detected in task, ansible
Network policy among pods
Minikube: Restricted PodSecurityPolicy is not restricting when trying to create a privileged container

1 Answer

1/16/2020

If you want to do it that hard way, you can deploy your own nginx deployment and expose it as LoadBalancer Service. You can configure it with different authentication mechanisms that nginx support.

Instead, you can use Ingress resource backed by an IngressController that supports authentication. Check if your kubernetes distribution provides an IngressController and if it is supports auth. If not, you can install nginx or Traefik IngressControllers which supports authentication.

Looks like GKE ingress has recently added support for IAP bassed authentication which is still in beta - https://cloud.google.com/iap/docs/enabling-kubernetes-howto

If you are looking for more traditional type of authentication with ingress, install nginx or traefik and use the kubernetes.io/ingress.class annotation so that only IngressController claims your ingress resource - https://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/

-- Shashank V
Source: StackOverflow