使用基本身份验证的Nginx-ingress Kubernetes路由 [英] Nginx-ingress Kubernetes routing with basic auth
问题描述
我无法在其中一条路径上设置基本身份验证.我想通过基本身份验证保护/auth路径,所有其他路径都不需要基本身份验证.因此,我创建了两个指向相同后端的入口文件:
I cannot set basic auth up on one of my paths. I would like to have /auth path secured by basic auth, all the others paths don't need basic auth. So I created two ingress files which point to the same backend:
非身份验证入口:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: main-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /.*
backend:
serviceName: example-service
servicePort: 4000
Authingingress:
Auth-ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "false"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /auth
backend:
serviceName: example-service
servicePort: 4000
所有机密均已正确设置. 我缺少什么,如何使它工作?
All secrets are set correctly. What am I missing and how can I make it work?
推荐答案
尝试为需要身份验证的后端创建另一个服务:
Try to create another service for backend which need authentication:
-
main-ingress包含不需要通过nginx进行身份验证的服务的规范,例如.example-service. -
auth-ingress包含需要通过nginx进行身份验证的服务的规范(在我的情况下是基本的),例如.身份验证服务.
main-ingresscontains the spec for the service(s) which don't require authentication through nginx eg.example-service.auth-ingresscontains the spec for the service(s) which require authentication (basic in my case) through nginx eg. auth-service.
您的auth-ingress应该如下所示:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "false"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /auth
backend:
serviceName: auth-service
servicePort: <auth-service-port>
此外,您也可以尝试在首次进入时尝试拒绝访问main-ingress中/auth路径的流量.
Also you can try in first ingress try to deny traffic to /auth path in main-ingress.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: main-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/use-regex: "true"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/configuration-snippet: |
location /auth {
deny all;
}
spec:
tls:
- hosts:
- example.com
secretName: example-tls
rules:
- host: example.com
http:
paths:
- path: /.*
backend:
serviceName: example-service
servicePort: 4000
看看: ingress-nginx-issues , kubernetes-ingress-network-deny-some-paths , kubernetes-ingress-nginx-re-write-does -不匹配.
这篇关于使用基本身份验证的Nginx-ingress Kubernetes路由的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
