K
Q

Kubernetes Ingress - Automatically validating Certificates issued by Intermedia Certificate

11/26/2021

I'm currently setting up my Ingress in Kubernetes. We do have the requirement to enable SSL/TLS and validate the certificates. For this, we have a root ca, which issues a certificate the intermedia ca. The intermedia ca issues again certificates for all our clients. The client certificates do have the subject name "Device".

The intermedia ca certificate is stored in a kubernetes secret. Now I would like to configure ingress to automatically validate all incoming requests from clients and check that their certificate was indeed issued by our intermedia ca. In addition, I was wondering if it would be possible to validate the subject name of the client certificate.

Do you guys know if that is possible, or do I need to add this logic to my application?

I was somehow not able to find any information on that. Hence, it would be great if you could help me out here.

-- David L.
kubernetes
kubernetes-ingress
nginx-ingress
security
ssl

Similar Questions

Kubernetes configmap in json format error
Is kubeadm production ready now?
Kubernetes: No Route to Host
Error while creating projects using openshift templates
Kubernetes Service not accessible on AWS-EKS

1 Answer

11/26/2021

Based on my understanding you are planning to use the cert verification

It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource. Before getting started you must have the following Certificates Setup:

  • CA certificate and Key(Intermediate Certs need to be in CA)
  • Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
  • Client Certificate(Signed by CA) and Key

You can refer to this ingress setup and give it try :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    # Enable client certificate authentication
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    # Create the secret containing the trusted ca certificates
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
    # Specify the verification depth in the client certificates chain
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
    # Specify an error page to be redirected to verification errors
    nginx.ingress.kubernetes.io/auth-tls-error-page: "http://example.io/error-cert.html"
    # Specify if certificates are passed to upstream server
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
  name: nginx-test
  namespace: default
spec:
  ingressClassName: nginx
  rules:
  - host: mydomain.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: http-svc
            port:
              number: 80
  tls:
  - hosts:
    - mydomain.com
    secretName: tls-secret

Read more at : https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/

-- Harsh Manvar
Source: StackOverflow