Nginx入口控制器身份验证不起作用 [英] Nginx ingress controller authentication not working
问题描述
我正在运行gke集群(v1.16.15gke.4300),并且nginx入口身份验证失败.以下代码段用于外部oauth2身份验证,但即使是基本身份验证也无法正常工作.似乎nginx完全忽略了这些注释.
I am running a gke cluster (v1.16.15gke.4300) and the nginx ingress authentication is failing. The below snippet is for external oauth2 authentication but even a basic auth is also not working. Seems that nginx is completely ignore these annotations.
带有google api 的oauth2代理实际上可以正常工作,但是nginx并未在其自己的配置中包括auth配置.我可以在nginx运行Pod上轻松检查一下.那里没有auth conf.
The oauth2 proxy with google api is actually working fine, but nginx is not including the auth configuration on his own configuration. I can easily check that on the nginx running pods. No auth conf there.
nginx入口控制器:
nginx ingress controller:
repoURL: 'https://helm.nginx.com/stable'
targetRevision: 0.6.1
version: nginx/1.19.2
受oauth2保护的入口服务的实时清单:
The live manifest for an ingress service protected by oauth2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-signin: https://oauth2.####.net/oauth2/start?rd=$escaped_request_uri
ingress.kubernetes.io/auth-url: https://oauth2.####.net/oauth2/auth
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":##########}
creationTimestamp: "####"
finalizers:
- networking.gke.io/ingress-finalizer-V2
generation: 1
labels:
argocd.argoproj.io/instance: k8s-default
name: dashboard-ingress
namespace: kubernetes-dashboard
resourceVersion: "22174124"
selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-ingress
uid: 34263f6b-6818-403f-####-4c6acb196c49
spec:
rules:
- host: dashboard.###.net
http:
paths:
- backend:
serviceName: kdashboard-kubernetes-dashboard
servicePort: 8080
path: /
tls:
- hosts:
- dashboard.###.net
secretName: reflect-certificate-secret-internal
status:
loadBalancer:
ingress:
- ip: ##.##.##.##
运行该服务时,我从未收到403/401:
When running the service i never get a 403/401:
curl -I 'https://dashboard.###.net/'
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Mon, 14 Dec 2020 19:50:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1272
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: no-store
Last-Modified: Mon, 22 Jun 2020 14:25:00 GMT
推荐答案
根据您提供的信息,您似乎正在使用 Nginxinc而不是 NGINX入口控制器不一样.Nginxinc入口控制器与NGINX入口控制器在 kubernetes/ingress-nginx回购,也不同于默认的 GKE入口控制器.影响用例的主要区别在于它们都使用不同的注释,并且只有适当的Controller才能满足这些注释.您可以找到上述之间的主要区别.和这里.
Based on the info you provided it looks like that you are using the Nginxinc Ingress Controller and not the NGINX Ingress Controller which are not the same. Nginxinc Ingress Controller is different from the NGINX Ingress controller in kubernetes/ingress-nginx repo and also different from the default GKE Ingress Controller. The main difference that would affect your use case is that they all use different annotations and those annotations can only be satisfied by a proper Controller. You can find the key differences between the mentioned above here and here.
以下是一些有用的文档/指南:
Below are some useful docs/guides:
-
外部OAUTH身份验证:
auth-url和auth-signin批注允许您使用外部身份验证提供程序来保护您的Ingress资源.
External OAUTH Authentication: The
auth-urlandauth-signinannotations allow you to use an external authentication provider to protect your Ingress resources.
使用NGINX入口控制器通过OAuth2保护您的网站:NGINX入口控制器可以与 oauth2_proxy 结合使用,以启用许多OAuth提供程序,例如Google,GitHub和其他.
Securing your website with OAuth2 using NGINX Ingress Controller: NGINX Ingress Controller can be combined with oauth2_proxy to enable many OAuth providers like Google, GitHub and others.
总结:
-
选择满足您要使用的注释的适当控制器.
Choose the proper controller that would satisfy the annotations that you want to use.
Keep in mind that different Controllers might use different annotations (nginxinc vs nginx).
使用 kubernetes.io/ingress.class:批注选择安装在GKE群集上的控制器.
Use kubernetes.io/ingress.class: annotation to choose the controller installed on your GKE Cluster.
这篇关于Nginx入口控制器身份验证不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
