Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kubernetes basic authentication with Traefik

I am trying to configure Basic Authentication on a Nginx example with Traefik as Ingress controller.

I just create the secret "mypasswd" on the Kubernetes secrets.

This is the Ingress I am using:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: nginxingress
  annotations:
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/auth-realm: traefik
    ingress.kubernetes.io/auth-secret: mypasswd
spec:
  rules:
  - host: nginx.mycompany.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginxservice
          servicePort: 80

I check in the Traefik dashboard and it appear, if I access to nginx.mycompany.com I can check the Nginx webpage, but without the basic authentication.

This is my nginx deployment:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80

Nginx service:

apiVersion: v1
kind: Service
metadata:
  labels:
    name: nginxservice
  name: nginxservice
spec:
  ports:
    # The port that this service should serve on.
    - port: 80
  # Label keys and values that must match in order to receive traffic for this service.
  selector:
    app: nginx
  type: ClusterIP
like image 653
Asier Gomez Avatar asked May 02 '18 09:05

Asier Gomez


People also ask

What is the difference between basic and digest authentication?

Digest authentication is another authentication type specified in HTTP 1.1. Unlike basic authentication, digest authentication does not require the password to be transmitted. Rather, the client takes the username and password and uses the MD5 hashing algorithm to create a hash, which is then sent to the SQL Server.

What is Traefik in Kubernetes?

The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say, it manages access to cluster services by supporting the Ingress specification.

What is Ingressroute?

IngressRoutes expose Kubernetes applications externally to the public. Ingresses associate with Pods through references to Services. TraefikService is an abstraction on top of Kubernetes Services to enable advanced routing such as weighted load balancing, mirroring and sticky sessions.


2 Answers

Basic Auth configuration for Kubernetes and Traefik 2 seems to have slightly changed. It took me some time to find the solution, that's why I want to share it. I use k3s btw.

Step 1 + 2 are identical to what @d0bry wrote, create the secret:

printf "my-username:`openssl passwd -apr1`\n" >> my-auth
kubectl create secret generic my-auth --from-file my-auth --namespace my-namespace

Step 3 is to create the ingress object and apply a middleware that will handle the authentication

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: my-auth-middleware
  namespace: my-namespace
spec:
  basicAuth:
    removeHeader: true
    secret: my-auth
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.middlewares: my-namespace-my-auth-middleware@kubernetescrd
spec:
  rules:
    - host: my.domain.net
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 8080

And then of course apply the configuration

kubectl apply -f my-ingress.yaml

refs:

  • https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/
  • https://doc.traefik.io/traefik/middlewares/http/basicauth/
like image 189
bztes Avatar answered Oct 28 '22 00:10

bztes


It is popular to use basic authentication. In reference to Kubernetes documentation, you should be able to protect access to Traefik using the following steps :

  1. Create authentication file using htpasswd tool. You'll be asked for a password for the user:

htpasswd -c ./auth

  1. Now use kubectl to create a secret in the monitoring namespace using the file created by htpasswd.

kubectl create secret generic mysecret --from-file auth --namespace=monitoring

  1. Enable basic authentication by attaching annotations to Ingress object:

ingress.kubernetes.io/auth-type: "basic"

ingress.kubernetes.io/auth-secret: "mysecret"

So, full example config of basic authentication can looks like:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: prometheus-dashboard
  namespace: monitoring
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/auth-type: "basic"
    ingress.kubernetes.io/auth-secret: "mysecret"
spec:
  rules:
  - host: dashboard.prometheus.example.com
    http:
      paths:
      - backend:
          serviceName: prometheus
          servicePort: 9090
  1. You can apply the example as following:

kubectl create -f prometheus-ingress.yaml -n monitoring

This should work without any issues.

like image 23
d0bry Avatar answered Oct 28 '22 02:10

d0bry