K
Q

Client SubjectName validation on NGINX Ingress

4/11/2020

I am trying to configure NGINX ingress controller where it can also validate unique CN or Subjectname coming from the client. Reason being , we only want a client to be configured to access NGINX ingress controller & rest of the clients which are signed using same CA & key can be dropped.

    Certificate:
Data:
    Version: 1 (0x0)
    Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=testAuthority
    Validity
        Not Before: Apr  5 08:02:23 2020 GMT
        Not After : Apr  5 08:02:23 2021 GMT
    Subject: CN=**client**
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
       Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
       <snipped>
            Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
<snipped>
-----BEGIN CERTIFICATE-----
<snipped>
 -----END CERTIFICATE-----

If the request to NGINX controller is received from above certificate like Subject: CN or Certificate Key or Fingerprint then it should be forwarded to backend . Rest of the certificates should be rejected.

If there is some annotation or configmap that could be configured in Ingress , it could be helpful.

-- Ammrin
certificate
kubernetes
kubernetes-ingress
nginx-ingress
tls1.2

Similar Questions

Encode integer in Helm template
Does Kubelet repeatedly restart the pod by default?
mounting a path override the existing content
Copy files into kubernetes pod with deployment.yaml

1 Answer

4/12/2020

You may try to extract CN into variable and then deny access based on this variable via configuration snippet. One of possible workarounds is to use additional Ingress with dedicated CA + client certificate authentication and issue client certificates to allowed clients only.

-- Alex Vorona
Source: StackOverflow