K
Q

How to route user request to specific docker container based on the user id through IAP in GCP Kubernetes Engine

5/7/2020

I am trying to come up with a hello-world prototype for GCP Kubernetes Engine using IAP to allocate a container for a specific user and route all requests from this user to this container only. It is to protect user sensitive information in a totally isolated environment.

I followed "Enabling IAP for GKE" as @wilrof suggested, and got stuck in adding an iap block to the BackendConfig as follows;

apiVersion: cloud.google.com/v1  
kind: BackendConfig  
metadata:  
  name: config-default
  namespace: my-namespace  
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret

When I run 'kubectl apply -f backendconfig.yaml', it complains that no matches for kind "BackendConfig" in version "cloud.google.com/v1". I changed the first line to cloud.google.com/v1beta1, then it says namespaces "my-namespace" not found. Not sure where to go from here.

-- Seung-Woo Kim
google-iap
google-kubernetes-engine

Similar Questions

Managed secret to environment in Kubernetes deployment manifest
How to mount pod container path which is having data (I need this data)to my local host path in kubernetes
Calico node status returns Calico process is not running
Minikube - invalid option "-p"

1 Answer

5/14/2020

As mentioned in the comments:

The first pointer is Enabling IAP for GKE, you enable IAP and use Backendconfig to set your ingress to direct it to the service/pod.

Then you updated your question, here is the troubleshooting for BackendConfig:

Note: GKE versions 1.16.8-gke.3 and greater support the cloud.google.com/v1 CRD API version.

All lower GKE versions should use cloud.google.com/v1beta1.

  • Since you tried running with v1 and got no matches for kind "BackendConfig" in version "cloud.google.com/v1" I presume you are running a version older than 1.16.8-gke.3.

  • As for the error namespaces "my-namespace" not found, make sure your working namespace is called "my-namespace", remember the default namespace for kubernetes is default.

Reproduction on v1.15.11-gke.12:

  • I first try to deploy as v1 as in your backendconfig.yaml example:
$ kubectl apply -f backendconfig.yaml 
error: unable to recognize "backendconfig.yaml": no matches for kind "BackendConfig" in version "cloud.google.com/v1"
  • changed to v1beta1 and applied:
$ cat backendconfig.yaml 
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig  
metadata:  
  name: config-default
  namespace: my-namespace  
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret

$ kubectl apply -f backendconfig.yaml 
Error from server (NotFound): error when creating "backendconfig.yaml": namespaces "my-namespace" not found
  • Check the namespaces currently configured:
owilliam@owilliam:~/GKE/backendconfig$ kubectl get namespaces
NAME              STATUS   AGE
default           Active   5m35s
kube-node-lease   Active   5m37s
kube-public       Active   5m37s
kube-system       Active   5m37s
  • I'll create the namespace my-namespace and try to apply again:
$ kubectl create namespace my-namespace
namespace/my-namespace created

$ kubectl apply -f backendconfig.yaml 
backendconfig.cloud.google.com/config-default created

If you still have any issue add a comment and we will dig further.

-- willrof
Source: StackOverflow